From cb9f24bf05480d6beb859ee4cc0bf827fe8ba7f6 Mon Sep 17 00:00:00 2001
From: Thomas Kaltenbrunner <tom@kaltenbrunner.it>
Date: Thu, 22 May 2025 10:15:24 +0200
Subject: [PATCH] fix(postfix): Require TLSv1.3

---
 helmfile/apps/open-xchange/values-postfix.yaml.gotmpl      | 4 ++++
 helmfile/apps/services-external/values-postfix.yaml.gotmpl | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
index 4ecc42b8..1f4c2d18 100644
--- a/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-postfix.yaml.gotmpl
@@ -55,6 +55,10 @@ postfix:
   {{- if .Values.apps.dkimpy.enabled }}
   dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
   {{- end }}
+
+  minTLSVersion: "TLSv1.3"
+  smtpdTLSMandatoryCiphers: "high"
+
   rspamdHost: ""
   relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
   allowRelayNets: false
diff --git a/helmfile/apps/services-external/values-postfix.yaml.gotmpl b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
index 5ff1a58e..283ceb41 100644
--- a/helmfile/apps/services-external/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-postfix.yaml.gotmpl
@@ -65,8 +65,14 @@ postfix:
   {{- end }}
   rspamdHost: ""
   relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
+
+  # Warning: This setting allows unauthenticated mail relay from relayNets!
   relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
   allowRelayNets: true
+
+  minTLSVersion: "TLSv1.3"
+  smtpdTLSMandatoryCiphers: "high"
+
   smtpSASLAuthEnable: "yes"
   smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpTLSSecurityLevel: "encrypt"