Settings for /etc/postfix/main.cf:
# TLS parameters smtpd_tls_cert_file = /home/frank/ssl/myssl.crt smtpd_tls_key_file = /home/frank/ssl/myssl.key smtpd_tls_CAfile = /home/frank/ssl/myssl.ca_bundle smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_security_level = may smtp_tls_security_level=may smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4, EXPORT, LOW smtp_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_exclude_ciphers = aNULL, eNULL, DES, 3DES, MD5, DES+MD5, RC4, EXPORT, LOW smtp_tls_exclude_ciphers = aNULL, DES, RC4, MD5 # Preferred syntax with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtp_tls_mandatory_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtpd_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 smtp_tls_protocols = TLSv1.3 TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 tls_preempt_cipherlist = yes
You can check your configuration using hardenize.com.