==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Centos 7  3.10.0-514.26.2.el7.x86_64
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): APACHE
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Have done some tests to verify the status of TLS and certificates used,
like the one on https://www.htbridge.com/ssl/
The goal is to get a "GRADE A" for PCI DSS requirements.

When runnig a test on a "vanilla installed" iredMail server, using a commercial domain ceretificate, the result was "B-"
with the following comments: (among others)
   SERVER DOES NOT HAVE CIPHER PREFERENCE
   The server does not prefer cipher suites. We advise to enable this feature in order to enforce usage of the best cipher 
    suites selected.
In order to get an "A" grade, postfix needs the following changes in main.cf
     smtpd_tls_mandatory_ciphers = high
     tls_preempt_cipherlist = yes

In addition to this, I also followed the hints in  https://weakdh.org/sysadmin.htm and recreated the 2048_dhparams.pem file.
After these changes, the results was "Grade A"

Then there are also comments about additional insecure protocols, that could be disabled via the line
    smtpd_tls_exclude_ciphers =
but havn't yet changed the default values.

Anyone else on this Forum having mending the TLS security to maximize NIST or other regularities, to share ideas or recomendations?
Regards, 
swejun