From 5be322aa04e282b8425b4211576363f09d0e29b4 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Thu, 14 Jul 2016 20:09:48 -0400 Subject: [PATCH 1/2] hardened dovecot, learning postfix now used tips per https://bettercrypto.org/static/applied-crypto-hardening.pdf --- setup/mail-dovecot.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index 2c5533ec..cf2fd142 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -71,12 +71,17 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ # Enable SSL, specify the location of the SSL certificate and private key files. # Disable obsolete SSL protocols and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/. +# Updated by Alon "ChiefGyk" Ganon to reflect improvements to SSL here https://bettercrypto.org/static/applied-crypto-hardening.pdf tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ ssl=required \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_protocols=!SSLv3 !SSLv2" \ - "ssl_cipher_list=TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH" + "ssl_cipher_list= EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH\ +\:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4\ +\:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" + "ssl_dh_parameters_length = 2048" + "ssl_prefer_server_ciphers = yes" # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit # login credentials outside of an encrypted connection. Only the over-TLS versions From 6f899033e4c4cd958509046b7c67b3d70f786a7c Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Thu, 14 Jul 2016 20:42:20 -0400 Subject: [PATCH 2/2] fixed some spacing and missing TLSv1+HIGH --- setup/mail-dovecot.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index cf2fd142..4764c4ce 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -77,11 +77,11 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_protocols=!SSLv3 !SSLv2" \ - "ssl_cipher_list= EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH\ + "ssl_cipher_list=TLSv1+HIGH:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH\ \:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4\ \:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" - "ssl_dh_parameters_length = 2048" - "ssl_prefer_server_ciphers = yes" + "ssl_dh_parameters_length=2048" + "ssl_prefer_server_ciphers=yes" # Disable in-the-clear IMAP/POP because there is no reason for a user to transmit # login credentials outside of an encrypted connection. Only the over-TLS versions