From 4e8fbac5806856eb99166e791ebd929f1f684312 Mon Sep 17 00:00:00 2001
From: Oscar Carlsson <oscar@spindel.tax>
Date: Fri, 21 Jun 2019 11:09:30 +0200
Subject: [PATCH] Disable TLSv1.0 and deprecated ciphers.

TLSv1.0 is as deprecated as the older SSL versions, and should not be
used. I've also disabled a slew of ciphers, and hopefully this will
make us less vulnerable to downgrade attacks and similar.
---
 mail-server/postfix.nix | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index 19f5e52..31c9b61 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -167,20 +167,34 @@ in
         # TLS settings, inspired by https://github.com/jeaye/nix-files
         # Submission by mail clients is handled in submissionOptions
         smtpd_tls_security_level = may
+
         # strong might suffice and is computationally less expensive
         smtpd_tls_eecdh_grade = ultra
-        # Disable predecessors to TLS
-        smtpd_tls_protocols = !SSLv2, !SSLv3
+
+        # Disable obselete protocols
+        smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+        smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+        smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+        smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
+
+        smtp_tls_ciphers = high
+        smtpd_tls_ciphers = high
+        smtp_tls_mandatory_ciphers = high
+        smtpd_tls_mandatory_ciphers = high
+
+        # Disable deprecated ciphers
+        smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+        smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+        smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+        smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
+
+        tls_preempt_cipherlist = yes
+
         # Allowing AUTH on a non encrypted connection poses a security risk
         smtpd_tls_auth_only = yes
         # Log only a summary message on TLS handshake completion
         smtpd_tls_loglevel = 1
 
-        # Disable weak ciphers as reported by https://ssl-tools.net
-        # https://serverfault.com/questions/744168/how-to-disable-rc4-on-postfix
-        smtpd_tls_exclude_ciphers = RC4, aNULL
-        smtp_tls_exclude_ciphers = RC4, aNULL
-
         # Configure a non blocking source of randomness
         tls_random_source = dev:/dev/urandom