2 files changed, 6 insertions, 0 deletions

diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 9b81c70..b816223 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -14,6 +14,7 @@ smtp      inet  n       -       n       -       1       postscreen
 tlsproxy  unix  -       -       n       -       0       tlsproxy
 dnsblog   unix  -       -       n       -       0       dnsblog
 submission inet n       -       -       -       -       smtpd
+  -o tls_high_cipherlist=HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
 pickup    fifo  n       -       -       60      1       pickup
 cleanup   unix  n       -       -       -       0       cleanup
 cleanup_nochroot unix n -       n       -       0       cleanup
@@ -43,8 +44,11 @@ anvil     unix  -       -       -       -       1       anvil
 scache    unix  -       -       -       -       1       scache
 127.0.0.1:16132 inet n  -       -       -       -       smtpd
 2525      inet  n       -       -       -       -       smtpd
+  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
 2526      inet  n       -       -       -       -       smtpd
+  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
 2527      inet  n       -       -       -       -       smtpd
+  -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
 reserved-alias unix  -  n       n       -       -       pipe
   flags=Rhu user=nobody argv=/usr/local/bin/reserved-alias.pl ${sender} ${original_recipient} @fripost.org
 sympa     unix  -       n       n       -       -       pipe
diff --git a/roles/common/templates/etc/postfix/main.cf.j2 b/roles/common/templates/etc/postfix/main.cf.j2
index 39952c2..3f36418 100644
--- a/roles/common/templates/etc/postfix/main.cf.j2
+++ b/roles/common/templates/etc/postfix/main.cf.j2
@@ -42,6 +42,8 @@ smtp_tls_security_level         = none
 smtp_bind_address               = 127.0.0.1
 {% else %}
 smtp_tls_security_level         = encrypt
+smtp_tls_ciphers                = high
+smtp_tls_protocols              = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtp_tls_exclude_ciphers        = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtp_tls_cert_file              = $config_directory/ssl/{{ ansible_fqdn }}.pem
 smtp_tls_key_file               = $config_directory/ssl/{{ ansible_fqdn }}.key