From 64aca4f2ce550457aea0569181237e19d78146f3 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 18 Jun 2025 06:57:42 +0200
Subject: [PATCH] postfix: disable SHA1 for SMTP connections

---
 mail-server/postfix.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/mail-server/postfix.nix b/mail-server/postfix.nix
index e29983a..edb3a11 100644
--- a/mail-server/postfix.nix
+++ b/mail-server/postfix.nix
@@ -340,8 +340,8 @@ in
         smtpd_tls_mandatory_ciphers = "high";
 
         # Exclude cipher suites with undesirable properties
-        smtpd_tls_exclude_ciphers = "eNULL, aNULL";
-        smtpd_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
+        smtpd_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
+        smtpd_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
 
         # Opportunistic DANE support when delivering mail to other servers
         # https://www.postfix.org/postconf.5.html#smtp_tls_security_level
@@ -357,8 +357,8 @@ in
         smtp_tls_mandatory_ciphers = "high";
 
         # Exclude ciphersuites with undesirable properties
-        smtp_tls_exclude_ciphers = "eNULL, aNULL";
-        smtp_tls_mandatory_exclude_ciphers = "eNULL, aNULL";
+        smtp_tls_exclude_ciphers = "SHA1, eNULL, aNULL";
+        smtp_tls_mandatory_exclude_ciphers = "SHA1, eNULL, aNULL";
 
         # Restrict and prioritize the following curves in the given order
         # Excludes curves that have no widespread support, so we don't bloat the handshake needlessly.