From 261cddbf8e6c123558a3d35131a199e10f72d21b Mon Sep 17 00:00:00 2001
From: taziden <taziden@flexiden.org>
Date: Fri, 26 Feb 2016 20:25:12 +0100
Subject: [PATCH] hardening postfix tls configuration

---
 data/templates/postfix/main.cf.sed | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/templates/postfix/main.cf.sed b/data/templates/postfix/main.cf.sed
index 394e23e0b..c1301f2ec 100644
--- a/data/templates/postfix/main.cf.sed
+++ b/data/templates/postfix/main.cf.sed
@@ -31,16 +31,18 @@ smtpd_tls_auth_only=yes
 smtpd_tls_cert_file=/etc/ssl/certs/yunohost_crt.pem
 smtpd_tls_key_file=/etc/ssl/private/yunohost_key.pem
 smtpd_tls_CAfile = /etc/ssl/certs/ca-yunohost_crt.pem
-smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4
+smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtpd_tls_loglevel=1
 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
 smtpd_tls_mandatory_ciphers=high
+smtpd_tls_eecdh_grade = ultra
 
 # -- TLS for outgoing connections
 # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
 smtp_tls_loglevel=1
 
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for