From 87be897d36dcd1b825810239d068eb1eb4979f7a Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sun, 1 Aug 2021 21:52:37 +0200 Subject: [PATCH] update DH security to 4096 --- conf/nginx-ssl.conf | 2 +- management/web_update.py | 4 ++-- setup/mail-dovecot.sh | 11 ++--------- setup/mail-postfix.sh | 2 +- setup/ssl.sh | 10 +++++----- setup/system.sh | 2 +- 6 files changed, 12 insertions(+), 19 deletions(-) diff --git a/conf/nginx-ssl.conf b/conf/nginx-ssl.conf index 621973df..3623c5f6 100644 --- a/conf/nginx-ssl.conf +++ b/conf/nginx-ssl.conf @@ -2,7 +2,7 @@ # Note that these settings are repeated in the SMTP and IMAP configuration. # ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols. ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; -ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem; +ssl_dhparam STORAGE_ROOT/ssl/dh4096.pem; # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html ssl_session_cache shared:SSL:50m; diff --git a/management/web_update.py b/management/web_update.py index c846f6e0..73ec4157 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -211,9 +211,9 @@ def make_domain_config(domain, templates, ssl_certificates, env): # Add the HSTS header. if hsts == "yes": - nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=15768000\" always;\n" + nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000\" always;\n" elif hsts == "preload": - nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\" always;\n" + nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n" # Add in any user customizations in the includes/ folder. nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf") diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index 63810c50..5482d04f 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -77,23 +77,16 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ disable_plaintext_auth=yes \ "auth_mechanisms=plain login" -# Generate DH parameters. Will take a long time, so only if they don't exist -if [[ ! -f /etc/dovecot/dh.pem ]]; then - openssl dhparam -out /etc/dovecot/dh.pem 4096 -fi - -chown mail:dovecot /etc/dovecot/dh.pem - # Enable SSL, specify the location of the SSL certificate and private key files. # Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1, -# except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2. +# specify a minimum of TLSv1.2. tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ ssl=required \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_min_protocol=TLSv1.2" \ "ssl_prefer_server_ciphers=yes" \ - "ssl_dh=