mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-12-22 07:17:05 +00:00
add 2048 bits of DH params for nginx, postfix, dovecot
nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own. ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.) see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
This commit is contained in:
parent
c2eb8e5330
commit
39bca053ed
@ -55,7 +55,7 @@ spdy_headers_comp 0;
|
||||
# openssl dhparam -outform pem -out dhparam2048.pem 2048
|
||||
#
|
||||
# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
|
||||
#ssl_dhparam /path/to/dhparam2048.pem;
|
||||
ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
|
||||
|
||||
|
||||
# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
|
||||
|
@ -43,10 +43,14 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
|
||||
|
||||
# Enable SSL, specify the location of the SSL certificate and private key files,
|
||||
# and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
|
||||
# Set a higher default Diffie Hellman key size. The default is 1024. Higher than
|
||||
# 2048 takes considerably longer to regenerate, which dovecot does automatically
|
||||
# apparently weekly. See http://wiki2.dovecot.org/SSL/DovecotConfiguration for more.
|
||||
tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
||||
ssl=required \
|
||||
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
||||
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
||||
"ssl_dh_parameters_length=2048" \
|
||||
"ssl_cipher_list=TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH"
|
||||
|
||||
# Disable in-the-clear IMAP and POP because we're paranoid (we haven't even
|
||||
|
@ -69,11 +69,13 @@ cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_f
|
||||
# Enable TLS on these and all other connections (i.e. ports 25 *and* 587) and
|
||||
# require TLS before a user is allowed to authenticate. This also makes
|
||||
# opportunistic TLS available on *incoming* mail.
|
||||
# Set stronger DH parameters, which via openssl tend to default to 1024 bits.
|
||||
tools/editconf.py /etc/postfix/main.cf \
|
||||
smtpd_tls_security_level=may\
|
||||
smtpd_tls_auth_only=yes \
|
||||
smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
|
||||
smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
|
||||
smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
|
||||
smtpd_tls_received_header=yes
|
||||
|
||||
# Prevent non-authenticated users from sending mail that requires being
|
||||
|
@ -43,3 +43,8 @@ if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||||
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
|
||||
fi
|
||||
|
||||
# For nginx and postfix, pre-generate some better DH bits. They seem to
|
||||
# each rely on openssl's default of 1024 bits.
|
||||
if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
|
||||
openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
|
||||
fi
|
||||
|
@ -9,9 +9,11 @@ apt_install nginx php5-fpm
|
||||
|
||||
rm -f /etc/nginx/sites-enabled/default
|
||||
|
||||
# copy in a nginx configuration file for common and best-practices
|
||||
# SSL settings from @konklone
|
||||
cp conf/nginx-ssl.conf /etc/nginx/nginx-ssl.conf
|
||||
# Copy in a nginx configuration file for common and best-practices
|
||||
# SSL settings from @konklone. Replace STORAGE_ROOT so it can find
|
||||
# the DH params.
|
||||
sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
|
||||
conf/nginx-ssl.conf > /etc/nginx/nginx-ssl.conf
|
||||
|
||||
# Fix some nginx defaults.
|
||||
# The server_names_hash_bucket_size seems to prevent long domain names?
|
||||
|
Loading…
Reference in New Issue
Block a user