summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
diff options
context:
space:
mode:
Diffstat (limited to 'roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf')
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf33
1 files changed, 22 insertions, 11 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 209347f..adeb879 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -27,10 +27,11 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
-# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
-# directory is usually /etc/ssl/certs in Debian-based systems and the file is
-# /etc/pki/tls/cert.pem in RedHat-based systems.
-#ssl_client_ca_dir =
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/ssl/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems.
+ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =
# Request client to send a certificate. If you also want to require it, set
@@ -42,14 +43,23 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
-# DH parameters length to use.
-ssl_dh_parameters_length = 2048
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+ssl_dh = </etc/ssl/dhparams.pem
-# SSL protocols to use
-#ssl_protocols = !SSLv3
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
+ssl_min_protocol = TLSv1.2
# SSL ciphers to use
-ssl_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no
@@ -58,5 +68,6 @@ ssl_cipher_list = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
-# no_compression - Disable compression.
-ssl_options = no_compression
+# compression - Enable compression.
+# no_ticket - Disable SSL session tickets.
+#ssl_options =
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 13:37:05 +0000