dovecot: Use Mozilla intermediate ssl settings

2021-03-16 07:30:29 +00:00 · 2021-03-16 07:30:29 +00:00 · 183208afff
commit 183208afff
parent 2f2db828b2
2 changed files with 11 additions and 1 deletions
--- a/roles/dovecot/meta/main.yml
+++ b/roles/dovecot/meta/main.yml
@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: dhparams}
--- a/roles/dovecot/templates/local.conf.j2
+++ b/roles/dovecot/templates/local.conf.j2
@ -1,8 +1,15 @@
-# ssl settings
+# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.8&config=intermediate&openssl=1.1.1g&guideline=5.6
 ssl = required
+
 ssl_cert = <{{ tls_certs }}/{{ mail_server }}-fullchain.crt
 ssl_key = <{{ tls_private }}/{{ mail_server }}.key

+ssl_dh = <{{ tls_certs }}/ffdhe3072.pem
+
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
+
 # kerberos
 auth_gssapi_hostname = "$ALL"
 auth_krb5_keytab = /etc/dovecot/dovecot.keytab