could you cross-check with a more reliable check (e.g. https://github.com/rbsec/sslscan, newer versions of that tool seems to not rely on older OpenSSL versions anymore) then openssl s_client?
I’m asking because the checks for the SSL/TLS are quite strict, have been proofed to work since so many years and all supposed false positives related to SSL/TLS topics have found to be invalid and either caused by e.g.
a too new OpenSSL library used by the other testing tools which didn’t supported the related protocol anymore
specific service misconfigurations (e.g. it still offered a deprecated protocol when accessing via the IP instead via the hostname / by using SNI)
The problem is on my postfix then. Tricky with the openssl that did not support the old protocols as a client. Thank you again for the quick and accurate reply