Settings for /etc/postfix/main.cf:
# TLS parameters
smtpd_tls_cert_file = /home/frank/ssl/myssl.crt
smtpd_tls_key_file = /home/frank/ssl/myssl.key
smtpd_tls_CAfile = /home/frank/ssl/myssl.ca_bundle
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level = may
smtp_tls_security_level=may
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4, EXPORT, LOW
smtp_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4, EXPORT, LOW
smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5
# Preferred syntax with Postfix ≥ 2.5:
smtpd_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3
tls_preempt_cipherlist = yesYou can check your configuration using hardenize.com.
