From e5728cf7b6bdb189491c6459899c3bb0a6d9ebd8 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Wed, 21 May 2025 21:06:32 +1200
Subject: [PATCH] docs: Revise `TLS_LEVEL` ENV description (#4482)

---
 docs/content/config/environment.md | 13 +++++++++++--
 mailserver.env                     |  6 ++++--
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index fdc70645..ea33c613 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -198,8 +198,16 @@ Please read [the SSL page in the documentation][docs-tls] for more information.
 ##### TLS_LEVEL
 
 - **empty** => modern
-- modern => Enables TLSv1.2 and modern ciphers only. (default)
-- intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
+- `modern` => Limits the cipher suite to secure ciphers only.
+- `intermediate` => Relaxes security by adding additional ciphers for broader compatibility.
+
+!!! info
+
+    In both cases TLS v1.2 is the minimum protocol version supported.
+
+!!! note
+
+    Prior to DMS v12.0, `TLS_LEVEL=intermediate` additionally supported TLS versions 1.0 and 1.1. If you still have legacy devices that can only use these versions of TLS, please follow [this workaround advice][gh-issue::tls-legacy-workaround].
 
 ##### SPOOF_PROTECTION
 
@@ -1174,3 +1182,4 @@ Provide the credentials to use with `RELAY_HOST` or `DEFAULT_RELAY_HOST`.
 [postfix-config::relayhost]: https://www.postfix.org/postconf.5.html#relayhost
 [postfix-config::relayhost_maps]: https://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps
 [postfix-config::sasl_passwd]: https://www.postfix.org/postconf.5.html#smtp_sasl_password_maps
+[gh-issue::tls-legacy-workaround]: https://github.com/docker-mailserver/docker-mailserver/pull/2945#issuecomment-1949907964
diff --git a/mailserver.env b/mailserver.env
index 0c22277d..b1496025 100644
--- a/mailserver.env
+++ b/mailserver.env
@@ -82,8 +82,10 @@ TZ=
 NETWORK_INTERFACE=
 
 # empty => modern
-# modern => Enables TLSv1.2 and modern ciphers only. (default)
-# intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
+# modern => Limits the cipher suite to secure ciphers only.
+# intermediate => Relaxes security by adding additional ciphers for broader compatibility.
+# NOTE: The minimum TLS version supported is 1.2, if you need to lower that follow this workaround advice:
+# https://github.com/docker-mailserver/docker-mailserver/pull/2945#issuecomment-1949907964
 TLS_LEVEL=
 
 # Configures the handling of creating mails with forged sender addresses.