From 1dc9d3fa2736e5060617ebe9c70cd2c6147a91d0 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <info@pkern.at>
Date: Thu, 25 Oct 2018 23:37:25 +0200
Subject: [PATCH] [Postfix] Security: Prefer server-side ciphers

Prefer server-side ciphers to prevent client-side cipher downgrade. Already enabled in Dovecot.
---
 data/conf/postfix/main.cf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index c74108e0..47cbc791 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -99,6 +99,7 @@ lmtp_tls_protocols = !SSLv2, !SSLv2, !SSLv3
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtpd_tls_protocols = !SSLv2, !SSLv3
 smtpd_tls_security_level = may
+tls_preempt_cipherlist = yes
 tls_ssl_options = NO_COMPRESSION
 smtpd_tls_mandatory_ciphers = high
 virtual_alias_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_alias_maps.cf,