From caf6b54774b5fd554b54b1339aaf4cf18fae8ac7 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Wed, 14 Feb 2024 21:03:35 +0000
Subject: [PATCH] dovecot: Require TLS 1.3

---
 roles/dovecot/templates/local.conf.j2 | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/roles/dovecot/templates/local.conf.j2 b/roles/dovecot/templates/local.conf.j2
index 730072b..51ce026 100644
--- a/roles/dovecot/templates/local.conf.j2
+++ b/roles/dovecot/templates/local.conf.j2
@@ -1,13 +1,11 @@
-# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.8&config=intermediate&openssl=1.1.1g&guideline=5.6
+# generated 2024-02-14, Mozilla Guideline v5.7, Dovecot 2.3.16, OpenSSL 1.1.1, modern configuration
+# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.16&config=modern&openssl=1.1.1&guideline=5.7
 ssl = required
 
 ssl_cert = <{{ tls_certs }}/{{ mail_server }}-fullchain.crt
 ssl_key = <{{ tls_private }}/{{ mail_server }}.key
 
-ssl_dh = <{{ tls_certs }}/ffdhe3072.pem
-
-ssl_min_protocol = TLSv1.2
-ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_min_protocol = TLSv1.3
 ssl_prefer_server_ciphers = no
 
 # kerberos