From 31cbd9af1a9afb177b70bccd329829f75bceab03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= <thorsten.rossner.extern@zendis.de>
Date: Tue, 23 Sep 2025 08:02:39 +0200
Subject: [PATCH] fix(postfix): Relax TLS settings to `TLSv1.2`/`medium` for
 broader SMTP relay compatibility

---
 helmfile/apps/open-xchange/values-postfix.yaml.gotmpl      | 6 ++----
 helmfile/apps/services-external/values-postfix.yaml.gotmpl | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
index 2f2cd409..a6acfb4f 100644
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -50,10 +50,8 @@ postfix:
   {{- if .Values.apps.dkimpy.enabled }}
   dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
   {{- end }}
-
-  minTLSVersion: "TLSv1.3"
-  smtpdTLSMandatoryCiphers: "high"
-
+  minTLSVersion: "TLSv1.2"
+  smtpdTLSMandatoryCiphers: "medium"
   rspamdHost: ""
   {{- if .Values.smtp.host }}
   relayHost:
diff --git a/helmfile/apps/services-external/values-postfix.yaml.gotmpl b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
index 4fc41c1b..d4881739 100644
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -72,10 +72,8 @@ postfix:
   # Warning: This setting allows unauthenticated mail relay from relayNets!
   allowRelayNets: true
   relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
-
-  minTLSVersion: "TLSv1.3"
-  smtpdTLSMandatoryCiphers: "high"
-
+  minTLSVersion: "TLSv1.2"
+  smtpdTLSMandatoryCiphers: "medium"
   smtpSASLAuthEnable: "yes"
   smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpTLSSecurityLevel: "encrypt"