From 5f7095f274e6fe3cf61d8b55e14eaa47f1d2ae4d Mon Sep 17 00:00:00 2001
From: Jon Lockwood <jonathon.lockwood@networkedweb.com>
Date: Fri, 18 Feb 2022 14:08:38 +0930
Subject: [PATCH] fix(postfix): only use the servers order of tls ciphers

Don't allow a client to specify which TLS ciphers to use. They may
pick a less secure one.
MR !7
---
 dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dockerfile b/dockerfile
index 03af313..2f93306 100644
--- a/dockerfile
+++ b/dockerfile
@@ -179,6 +179,7 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
   # Only add missing headers for authenticated users (mail users) and my networks and mail orginating from localhost
   && postconf -e "local_header_rewrite_clients=permit_sasl_authenticated,permit_mynetworks,permit_inet_interfaces" \
   # set tls settings
+  && postfonf -e "tls_preempt_cipherlist = yes" \
   && postconf -e "tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION" \
   && postconf -e "smtpd_tls_cert_file=/certs/postfix/cert.pem" \
   && postconf -e "smtpd_tls_key_file=/certs/postfix/key.pem" \