Description

Despite what the docs presently say for TLS_LEVEL, intermediate does not offer TLS 1.0/1.2 anymore:

This was removed in #2945 but I have noticed that we have a user forking to carry a patch to revert back the support along with the required OpenSSL config.

From v16 (or perhaps v15 if someone wants to tackle it in time), we could add this support back via an alternative TLS_LEVEL=legacy or alternative opt-in like TLS_LEGACY=1.

I'm not sure if there is any value in us maintaining the separate intermediate list, the cipher lists could be unset back to defaults from Postfix/Dovecot. TLS_LEVEL would then be deprecated so that we only offer modern, as it really only exists for legacy requirements to use intermediate for broader compatibility 🤷‍♂️

We don't presently document to users how to bring back TLS <1.2 support. Instead of providing a legacy TLS opt-in feature, we could just document a solution with user-patches.sh? (if maintainers would prefer to avoid the burden of maintenance support in DMS for a niche feature catering to user convenience).

I did provide a user-patches.sh example, but note a caveat with how it may be undone by our check-for-changes.sh service being triggered.