Update dovecot SSL conf according to Mozilla recommentation

2024-09-03 20:06:10 +02:00 · 2020-04-03 03:41:37 +02:00 · 2020-04-03 03:41:37 +02:00 · 23617a9386
commit 23617a9386
parent 128577686a
1 changed files with 17 additions and 2 deletions
--- a/data/templates/dovecot/dovecot.conf
+++ b/data/templates/dovecot/dovecot.conf
@ -12,10 +12,25 @@ protocols = imap sieve {% if pop3_enabled == "True" %}pop3{% endif %}

 mail_plugins = $mail_plugins quota

-ssl = yes
+###############################################################################
+
+# generated 2020-04-03, Mozilla Guideline v5.4, Dovecot 2.2.27, OpenSSL 1.1.1l, intermediate configuration
+# https://ssl-config.mozilla.org/#server=dovecot&version=2.2.27&config=intermediate&openssl=1.1.1l&guideline=5.4
+
+ssl = required
+
 ssl_cert = </etc/yunohost/certs/{{ main_domain }}/crt.pem
 ssl_key = </etc/yunohost/certs/{{ main_domain }}/key.pem
-ssl_protocols = !SSLv3
+
+ssl_dh_parameters_length = 2048
+
+# intermediate configuration
+ssl_protocols = TLSv1.2 TLSv1.3
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
+
+###############################################################################
+

 passdb {
  args = /etc/dovecot/dovecot-ldap.conf