From 9abbe7eb1d0b0b5998a8daa2d44bd8dba8e85f55 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 6 Mar 2019 15:09:28 +0100
Subject: [PATCH] [Postfix] Mandatory protocol for authenticated clients over
 587/tcp and 465/tcp is now TLSv1.0+ (reverts previous protocol change for
 authenticated users only) [Postfix] Force route localhost$ over local:

---
 data/conf/postfix/local_transport | 1 +
 data/conf/postfix/main.cf         | 2 +-
 data/conf/postfix/master.cf       | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 data/conf/postfix/local_transport

diff --git a/data/conf/postfix/local_transport b/data/conf/postfix/local_transport
new file mode 100644
index 00000000..5d10028c
--- /dev/null
+++ b/data/conf/postfix/local_transport
@@ -0,0 +1 @@
+/localhost$/  local:
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 5bc3daa0..88d905e7 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -138,5 +138,5 @@ smtp_sasl_mechanism_filter = plain, login
 smtp_tls_policy_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
 smtp_header_checks = pcre:/opt/postfix/conf/anonymize_headers.pcre
 mail_name = Postcow
-transport_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf
+transport_maps = pcre:/opt/postfix/conf/local_transport, proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf
 smtp_sasl_auth_soft_bounce = no
diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf
index efc311a5..fcc99717 100644
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@@ -6,11 +6,13 @@ smtpd      pass  -       -       n       -       -       smtpd
 smtps    inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
   -o tls_preempt_cipherlist=yes
 submission inet n       -       n       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
   -o smtpd_enforce_tls=yes
   -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
   -o tls_preempt_cipherlist=yes
 588 inet n      -       n       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject