diff options
author | root <root@jones.dk> | 2016-10-25 00:00:54 +0200 |
---|---|---|
committer | root <root@jones.dk> | 2016-10-25 00:01:08 +0200 |
commit | e7e80aeb159ad019ff1829692c3ecf154196cf8c (patch) | |
tree | 61914310d81c3bd4dd4c76961e92848c2cc789dd /dovecot/conf.d/10-ssl.conf.diff | |
parent | 83d7a438bb052e628477afa79c29c1853527ffb5 (diff) |
Add Dovecot-related tweaks.
Diffstat (limited to 'dovecot/conf.d/10-ssl.conf.diff')
-rw-r--r-- | dovecot/conf.d/10-ssl.conf.diff | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/dovecot/conf.d/10-ssl.conf.diff b/dovecot/conf.d/10-ssl.conf.diff new file mode 100644 index 0000000..56ee9c3 --- /dev/null +++ b/dovecot/conf.d/10-ssl.conf.diff @@ -0,0 +1,37 @@ +--- 10-ssl.conf.orig 2014-12-14 20:20:55.000000000 +0100 ++++ 10-ssl.conf 2016-08-27 09:43:42.000000000 +0200 +@@ -3,14 +3,14 @@ + ## + + # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> +-ssl = no ++ssl = yes + + # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before + # dropping root privileges, so keep the key file unreadable by anyone but + # root. Included doc/mkcert.sh can be used to easily generate self-signed + # certificate, just make sure to update the domains in dovecot-openssl.cnf +-#ssl_cert = </etc/dovecot/dovecot.pem +-#ssl_key = </etc/dovecot/private/dovecot.pem ++ssl_cert = </etc/dovecot/dovecot.pem ++ssl_key = </etc/dovecot/private/dovecot.pem + + # If key file is password protected, give the password here. Alternatively + # give it when starting dovecot with -p parameter. Since this file is often +@@ -46,13 +46,14 @@ + #ssl_dh_parameters_length = 1024 + + # SSL protocols to use +-#ssl_protocols = !SSLv2 ++ssl_protocols = !SSLv2 !SSLv3 + + # SSL ciphers to use + #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ++ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 + + # Prefer the server's order of ciphers over client's. +-#ssl_prefer_server_ciphers = no ++ssl_prefer_server_ciphers = yes + + # SSL crypto device to use, for valid values run "openssl engine" + #ssl_crypto_device = |