From f9b15192b8bbb777822785e27d4e0ad02377e186 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Tue, 3 Jun 2025 00:45:12 +0200
Subject: [PATCH] postfix: allow client to select the preferred cipher

As long as all cipher we support are considered safe we can allow clients
to select one that suits them best.
---
 mail-server/postfix.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index d1c59b2..5d7f9a2 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -287,10 +287,12 @@ in
         smtp_tls_mandatory_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
         smtp_tls_exclude_ciphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
 
-        tls_preempt_cipherlist = true;
+        # As long as all cipher suites are considered safe, let the client use its preferred cipher
+        tls_preempt_cipherlist = false;
 
         # Allowing AUTH on a non encrypted connection poses a security risk
         smtpd_tls_auth_only = true;
+
         # Log only a summary message on TLS handshake completion
         smtp_tls_loglevel = "1";
         smtpd_tls_loglevel = "1";