From 71c5fe04f1f8eb6a2b455290ee5a6883ee68fd07 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <dev@schuetz-co.de>
Date: Thu, 24 Jun 2021 18:02:50 +0200
Subject: [PATCH] postfix: disable TLSv1.1

In accordance with https://ssl-config.mozilla.org/#server=postfix.
---
 docs/release-notes.rst  | 2 ++
 mail-server/postfix.nix | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index 3cdd5da..f6511ee 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -16,6 +16,8 @@ NixOS 25.05
   (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/297>`__)
 - Configuring ``mailserver.forwards`` is now possible when the setup relies on LDAP.
   (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/313>`__)
+- Support for TLS 1.1 was disabled in accordance with `Mozilla's recommendations <https://ssl-config.mozilla.org/#server=postfix>`_.
+  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/234>`__)
 
 NixOS 24.11
 -----------
diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index da06111..d14e6d3 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -270,10 +270,10 @@ in
         smtpd_tls_security_level = "may";
 
         # Disable obselete protocols
-        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-        smtp_tls_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-        smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
-        smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtpd_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtp_tls_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtpd_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+        smtp_tls_mandatory_protocols = "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
 
         smtp_tls_ciphers = "high";
         smtpd_tls_ciphers = "high";