disabling TLS1/1.1

I just built a new system (9.2) with Postfix email relay, no http/Apache installed, but the Nessus scan came back and said I have TLS 1/1.1 enabled.

I already use "update-crypto-policies" to set the policy to FUTURE:
[root@abcdexfgh postfix]# update-crypto-policies --show
FUTURE

[root@abcdefgh postfix]# openssl ciphers -v | awk '{print $2}' | sort | uniq
TLSv1.2
TLSv1.3

how did I miss?

By the way, how can I tell postfix is encrypting the communication with the email ISP?

Thank you for your help.