fix(postfix): Require TLSv1.3

helmfile/apps/open-xchange/values-postfix.yaml.gotmpl

@@ -55,6 +55,10 @@ postfix:
   {{- if .Values.apps.dkimpy.enabled }}
   dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
   {{- end }}
+
+  minTLSVersion: "TLSv1.3"
+  smtpdTLSMandatoryCiphers: "high"
+
   rspamdHost: ""
   relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
   allowRelayNets: false

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -65,8 +65,14 @@ postfix:
   {{- end }}
   rspamdHost: ""
   relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
+
+  # Warning: This setting allows unauthenticated mail relay from relayNets!
   relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
   allowRelayNets: true
+
+  minTLSVersion: "TLSv1.3"
+  smtpdTLSMandatoryCiphers: "high"
+
   smtpSASLAuthEnable: "yes"
   smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpTLSSecurityLevel: "encrypt"