diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-05-14 23:14:25 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:53:28 +0200 |
| commit | f7c8011b39044a69daa091ef2c0f7a7aefacb663 (patch) | |
| tree | 7d6c1a772a33a895a00011c69147b8178529e134 /roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | |
| parent | 166804e99e33c8ec5760e88ba1f52d4fc301334c (diff) | |
Upgrade Dovecot config to Jessie.
Diffstat (limited to 'roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf')
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index 526da9c..90843b2 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -9,42 +9,50 @@ ssl = required # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes +# Directory and/or file for trusted SSL CA certificates. These are used only +# when Dovecot needs to act as an SSL client (e.g. imapc backend). The +# directory is usually /etc/ssl/certs in Debian-based systems and the file is +# /etc/pki/tls/cert.pem in RedHat-based systems. +#ssl_client_ca_dir = +#ssl_client_ca_file = + # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName -# How often to regenerate the SSL parameters file. Generation is quite CPU -# intensive operation. The value is in hours, 0 disables regeneration -# entirely. -#ssl_parameters_regenerate = 168 +# DH parameters length to use. +#ssl_dh_parameters_length = 1024 # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH +# Prefer the server's order of ciphers over client's. +#ssl_prefer_server_ciphers = no + # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = |