{ lib, ... }:
let
  inherit (lib) mkForce;
  tlsProtocols = ">=TLSv1.2";
  excludeCiphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, AES128-SHA, AES256-SHA";
in
{
  services.postfix.config = {
    # only support TLS 1.3/1.2
    smtpd_tls_protocols = mkForce tlsProtocols;
    smtp_tls_protocols = mkForce tlsProtocols;
    smtpd_tls_mandatory_protocols = mkForce tlsProtocols;
    smtp_tls_mandatory_protocols = mkForce tlsProtocols;

    # Exclude insecure ciphers
    smtpd_tls_mandatory_exclude_ciphers = mkForce excludeCiphers;
    smtpd_tls_exclude_ciphers = mkForce excludeCiphers;
    smtp_tls_mandatory_exclude_ciphers = mkForce excludeCiphers;
    smtp_tls_exclude_ciphers = mkForce excludeCiphers;
  };
}