summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf2
-rw-r--r--roles/common/templates/etc/postfix/master.cf.j24
-rw-r--r--roles/lacme/files/etc/lacme/lacme.conf2
-rw-r--r--roles/webmail/files/etc/stunnel/ldap.conf2
4 files changed, 5 insertions, 5 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 250eec5..209347f 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -49,7 +49,7 @@ ssl_dh_parameters_length = 2048
#ssl_protocols = !SSLv3
# SSL ciphers to use
-ssl_cipher_list = HIGH:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH
+ssl_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index 2c00250..65ca2b6 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -19,10 +19,10 @@ tlsproxy unix - - y - 0 tlsproxy
dnsblog unix - - y - 0 dnsblog
{% elif inst == 'MSA' %}
submission inet n - y - - smtpd
- -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+ -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
submissions inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
- -o tls_high_cipherlist=EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+ -o tls_high_cipherlist=EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
{% if groups.webmail | difference([inventory_hostname]) | length > 0 %}
[{{ postfix_instance.MSA.addr }}]:{{ postfix_instance.MSA.port }} inet n - y - - smtpd
-o broken_sasl_auth_clients=no
diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf
index 6f1ee4b..b49c87a 100644
--- a/roles/lacme/files/etc/lacme/lacme.conf
+++ b/roles/lacme/files/etc/lacme/lacme.conf
@@ -54,7 +54,7 @@ SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
# Specify the cipher list for the connection.
#
-SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+SSL_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
[webserver]
diff --git a/roles/webmail/files/etc/stunnel/ldap.conf b/roles/webmail/files/etc/stunnel/ldap.conf
index b8c7787..1a60a4f 100644
--- a/roles/webmail/files/etc/stunnel/ldap.conf
+++ b/roles/webmail/files/etc/stunnel/ldap.conf
@@ -43,7 +43,7 @@ options = NO_COMPRESSION
;options = SINGLE_DH_USE
; Select permitted SSL ciphers
-ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-25 15:41:54 +0000