mirror of
https://github.com/YunoHost/yunohost.git
synced 2024-09-03 20:06:10 +02:00
Merge pull request #914 from YunoHost/update-mailstack-ciphers
Update mailstack ciphers
This commit is contained in:
Kayou
GitHub
commit
4b7abd3cde
2 changed files with 41 additions and 22 deletions
|
|
@ -12,10 +12,25 @@ protocols = imap sieve {% if pop3_enabled == "True" %}pop3{% endif %}
|
|||
|
||||
mail_plugins = $mail_plugins quota
|
||||
|
||||
ssl = yes
|
||||
###############################################################################
|
||||
|
||||
# generated 2020-04-03, Mozilla Guideline v5.4, Dovecot 2.2.27, OpenSSL 1.1.0l, intermediate configuration
|
||||
# https://ssl-config.mozilla.org/#server=dovecot&version=2.2.27&config=intermediate&openssl=1.1.0l&guideline=5.4
|
||||
|
||||
ssl = required
|
||||
|
||||
ssl_cert = </etc/yunohost/certs/{{ main_domain }}/crt.pem
|
||||
ssl_key = </etc/yunohost/certs/{{ main_domain }}/key.pem
|
||||
ssl_protocols = !SSLv3
|
||||
|
||||
ssl_dh_parameters_length = 2048
|
||||
|
||||
# intermediate configuration
|
||||
ssl_protocols = TLSv1.2
|
||||
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl_prefer_server_ciphers = no
|
||||
|
||||
###############################################################################
|
||||
|
||||
|
||||
passdb {
|
||||
args = /etc/dovecot/dovecot-ldap.conf
|
||||
|
|
|
|||
|
|
@ -18,35 +18,39 @@ append_dot_mydomain = no
|
|||
readme_directory = no
|
||||
|
||||
# -- TLS for incoming connections
|
||||
# By default, TLS is disabled in the Postfix SMTP server, so no difference to
|
||||
# plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".
|
||||
smtpd_tls_security_level=may
|
||||
###############################################################################
|
||||
# generated 2020-04-03, Mozilla Guideline v5.4, Postfix 3.1.14, OpenSSL 1.1.0l, intermediate configuration
|
||||
# https://ssl-config.mozilla.org/#server=postfix&version=3.1.14&config=intermediate&openssl=1.1.0l&guideline=5.4
|
||||
|
||||
# Sending AUTH data over an unencrypted channel poses a security risk.
|
||||
# When TLS layer encryption is optional ("smtpd_tls_security_level = may"), it
|
||||
# may however still be useful to only offer AUTH when TLS is active. To maintain
|
||||
# compatibility with non-TLS clients, the default is to accept AUTH without
|
||||
# encryption. In order to change this behavior, we set "smtpd_tls_auth_only = yes".
|
||||
smtpd_tls_auth_only=yes
|
||||
# (No modern conf support until we're on buster...)
|
||||
# {% if compatibility == "intermediate" %} {% else %} {% endif %}
|
||||
|
||||
smtpd_use_tls = yes
|
||||
|
||||
smtpd_tls_security_level = may
|
||||
smtpd_tls_auth_only = yes
|
||||
smtpd_tls_cert_file = /etc/yunohost/certs/{{ main_domain }}/crt.pem
|
||||
smtpd_tls_key_file = /etc/yunohost/certs/{{ main_domain }}/key.pem
|
||||
smtpd_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES
|
||||
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
||||
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
||||
smtpd_tls_mandatory_ciphers = medium
|
||||
|
||||
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
|
||||
# not actually 1024 bits, this applies to all DHE >= 1024 bits
|
||||
# smtpd_tls_dh1024_param_file = /path/to/dhparam.pem
|
||||
|
||||
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
tls_preempt_cipherlist = no
|
||||
###############################################################################
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
smtpd_tls_loglevel=1
|
||||
{% if compatibility == "intermediate" %}
|
||||
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||||
{% else %}
|
||||
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
|
||||
{% endif %}
|
||||
smtpd_tls_mandatory_ciphers=high
|
||||
smtpd_tls_eecdh_grade = ultra
|
||||
|
||||
# -- TLS for outgoing connections
|
||||
# Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
|
||||
smtp_tls_security_level=may
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
|
||||
smtp_tls_mandatory_ciphers= $smtpd_tls_mandatory_ciphers
|
||||
smtp_tls_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, 3DES
|
||||
smtp_tls_mandatory_ciphers= high
|
||||
smtp_tls_loglevel=1
|
||||
|
||||
# Configure Root CA certificates
|
||||
|
|
@ -167,4 +171,4 @@ default_destination_rate_delay = 5s
|
|||
# By default it's possible to detect if the email adress exist
|
||||
# So it's easly possible to scan a server to know which email adress is valid
|
||||
# and after to send spam
|
||||
disable_vrfy_command = yes
|
||||
disable_vrfy_command = yes
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue