sec: add security-related Postfix options

tasks/mail/configure_postfix.yml

@@ -16,4 +16,11 @@
       smtpd_recipient_restrictions =
       # smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination    # DEFAULT according to `man 5 postconf`
       smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
+
+      relayhost = [{{ mail_server }}]                                                       # mail server
+      disable_vrfy_command = yes                                                            # security: disable VRFY replies
+      smtpd_tls_mandatory_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2   # security: only TLS 1.3
+      smtpd_tls_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2             # security: only TLS 1.3
+      smtp_tls_mandatory_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2    # security: only TLS 1.3
+      smtp_tls_protocols = TLSv1.3, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2              # security: only TLS 1.3
   notify: restart postfix

tasks/main.yml

@@ -6,6 +6,7 @@
     - "cron_apt.vault"
     - "exim.vault"
     - "groups.vault"
+    - "mail.vault"
     - "repos.vault"
     - "sudo.vault"
     - "syslog.vault"