build(deps): Bump github/codeql-action from 4.35.3 to 4.35.4

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.3 to 4.35.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](e46ed2cbd0...68bde559de)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/codeql-analysis.yml

@@ -47,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+      uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+      uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+      uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4

.github/workflows/scorecards.yml

@@ -76,6 +76,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           sarif_file: results.sarif

config.go

@@ -31,6 +31,7 @@ var (
 	listenStr        = flagset.String("listen", "127.0.0.1:25 [::1]:25", "Address and port to listen for incoming SMTP")
 	localCert        = flagset.String("local_cert", "", "SSL certificate for STARTTLS/TLS")
 	localKey         = flagset.String("local_key", "", "SSL private key for STARTTLS/TLS")
+	tlsProfile       = flagset.String("tls_profile", "default", "TLS profile: modern | intermediate | default | legacy")
 	localForceTLS    = flagset.Bool("local_forcetls", false, "Force STARTTLS (needs local_cert and local_key)")
 	readTimeoutStr   = flagset.String("read_timeout", "60s", "Socket timeout for read operations")
 	writeTimeoutStr  = flagset.String("write_timeout", "60s", "Socket timeout for write operations")

main.go

@@ -281,6 +281,7 @@ func generateUUID() string {
 }
 
 func getTLSConfig() *tls.Config {
+	// Certificate loading / validation
 	if *localCert == "" || *localKey == "" {
 		log.Fatal().
 			Str("cert_file", *localCert).
@@ -295,9 +296,60 @@ func getTLSConfig() *tls.Config {
 			Msg("cannot load X509 keypair")
 	}
 
-	return &tls.Config{
+	// TLS profile configuration
+	// tls.Config.CipherSuites only affects TLS 1.0–1.2.
+
+	// Base config: Go defaults unless overridden.
+	conf := &tls.Config{
 		Certificates: []tls.Certificate{cert},
 	}
+
+	profile := strings.ToLower(strings.TrimSpace(*tlsProfile))
+	if profile == "" {
+		profile = "default"
+	}
+
+	switch profile {
+	case "default":
+		// Go defaults (leave MinVersion/MaxVersion/CipherSuites unset).
+
+	case "modern":
+		// TLS 1.3+.
+		conf.MinVersion = tls.VersionTLS13
+
+	case "intermediate":
+		// TLS 1.2+ with AEAD + ECDHE cipher suites only.
+		// Mozilla "intermediate" — AEAD + ECDHE only.
+		conf.MinVersion = tls.VersionTLS12
+		conf.CipherSuites = []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+		}
+
+	case "legacy":
+		// Last resort: TLS 1.0+ and everything Go exposes for TLS 1.0–1.2.
+		conf.MinVersion = tls.VersionTLS10
+
+		allSuites := []uint16{}
+		for _, cs := range tls.CipherSuites() {
+			allSuites = append(allSuites, cs.ID)
+		}
+		for _, cs := range tls.InsecureCipherSuites() {
+			allSuites = append(allSuites, cs.ID)
+		}
+		conf.CipherSuites = allSuites
+
+	default:
+		log.Warn().
+			Str("tls_profile", profile).
+			Msg("unknown tls_profile; using default")
+	}
+
+	return conf
 }
 
 func watchAliasFile() {

smtprelay.ini

@@ -35,6 +35,33 @@
 ;local_cert = smtpd.pem
 ;local_key  = smtpd.key
 
+; TLS PROFILE (STARTTLS / TLS listeners)
+; Controls the minimum TLS version and allowed cipher suites for inbound
+; connections when using listen protocols `starttls://` or `tls://`.
+; Profiles follow the Mozilla SSL Configuration Generator guidelines.
+;
+;   default
+;     Go standard library defaults. Tracks improvements as Go updates
+;     its TLS defaults. Recommended for most deployments.
+;
+;   modern
+;     TLS 1.3+ only. Simplest and most secure, but rejects any client
+;     that cannot negotiate TLS 1.3.
+;     Matches Mozilla "modern" configuration.
+;
+;   intermediate
+;     TLS 1.2+. For TLS 1.2 connections only AEAD ciphers (AES-GCM,
+;     ChaCha20-Poly1305) with ECDHE key exchange are allowed,
+;     providing forward secrecy. TLS 1.3 ciphers are always available.
+;     Matches Mozilla "intermediate" configuration.
+;
+;   legacy
+;     TLS 1.0+ with all cipher suites the Go standard library supports,
+;     including insecure ones (RC4, 3DES). Use only when you must
+;     support very old clients that cannot negotiate TLS 1.2.
+;
+;tls_profile=default
+
 ; Enforce encrypted connection on STARTTLS ports before
 ; accepting mails from client.
 ;local_forcetls = false