MSA: Update role to Debian Buster.

For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d

At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.

1 files changed, 3 insertions, 3 deletions

diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 65a0339..a435b0f 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -60,14 +60,14 @@ header_checks  = pcre:$config_directory/anonymize_sender.pcre
 # TLS
 smtp_tls_security_level         = none
 smtpd_tls_security_level        = encrypt
-smtpd_tls_ciphers               = high
-smtpd_tls_protocols             = !SSLv2, !SSLv3
-smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
+smtpd_tls_mandatory_ciphers     = high
+smtpd_tls_mandatory_protocols   = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_cert_file             = $config_directory/ssl/smtp.fripost.org.pem
 smtpd_tls_key_file              = $config_directory/ssl/smtp.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database=
 smtpd_tls_received_header       = yes
+tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 # SASL
 smtpd_sasl_auth_enable          = yes