From 085654a506a7b0262248a5eaddbdfb4466410662 Mon Sep 17 00:00:00 2001
From: nhnn <nhnn@nhnn.dev>
Date: Thu, 20 Mar 2025 12:32:43 +0300
Subject: [PATCH] fix: make postfix use modern TLS

---
 sp-modules/simple-nixos-mailserver/config.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix
index 37d5e8a..f3238c9 100644
--- a/sp-modules/simple-nixos-mailserver/config.nix
+++ b/sp-modules/simple-nixos-mailserver/config.nix
@@ -56,6 +56,14 @@ lib.mkIf sp.modules.simple-nixos-mailserver.enable (lib.mkMerge [
 
     users.groups.acmereceivers.members = [ "dovecot2" "postfix" "virtualMail" ];
 
+    services.postfix = {
+      config.smtpd_tls_security_level = lib.mkForce "required";
+      config.smtpd_tls_protocols = lib.mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+      config.smtp_tls_protocols = lib.mkForce "TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+      config.smtpd_tls_mandatory_protocols = lib.mkForce "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+      config.smtp_tls_mandatory_protocols = lib.mkForce "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
+    };
+
     mailserver = {
       enable = true;
       fqdn = sp.domain;