# SSL
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_security_level = may
# smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/u-mail/data/ssl.cert
smtpd_tls_key_file = /usr/local/u-mail/data/ssl.key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = medium

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /usr/local/u-mail/data/dhparam_smtp.pem
# openssl dhparam -out /usr/local/u-mail/data/dhparam_smtp.pem 2048 
# not actually 1024 bits, this applies to all DHE >= 1024 bits
smtpd_tls_dh1024_param_file = /usr/local/u-mail/data/dhparam_smtp.pem

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
tls_preempt_cipherlist = no