update DH security to 4096
This commit is contained in:
parent
f6450c1cae
commit
87be897d36
|
@ -2,7 +2,7 @@
|
||||||
# Note that these settings are repeated in the SMTP and IMAP configuration.
|
# Note that these settings are repeated in the SMTP and IMAP configuration.
|
||||||
# ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols.
|
# ssl_protocols has moved to nginx.conf in bionic, check there for enabled protocols.
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
ssl_dhparam STORAGE_ROOT/ssl/dh2048.pem;
|
ssl_dhparam STORAGE_ROOT/ssl/dh4096.pem;
|
||||||
|
|
||||||
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
|
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
|
||||||
ssl_session_cache shared:SSL:50m;
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
|
|
@ -211,9 +211,9 @@ def make_domain_config(domain, templates, ssl_certificates, env):
|
||||||
|
|
||||||
# Add the HSTS header.
|
# Add the HSTS header.
|
||||||
if hsts == "yes":
|
if hsts == "yes":
|
||||||
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=15768000\" always;\n"
|
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000\" always;\n"
|
||||||
elif hsts == "preload":
|
elif hsts == "preload":
|
||||||
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=15768000; includeSubDomains; preload\" always;\n"
|
nginx_conf_extra += "\tadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\n"
|
||||||
|
|
||||||
# Add in any user customizations in the includes/ folder.
|
# Add in any user customizations in the includes/ folder.
|
||||||
nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")
|
nginx_conf_custom_include = os.path.join(env["STORAGE_ROOT"], "www", safe_domain_name(domain) + ".conf")
|
||||||
|
|
|
@ -77,23 +77,16 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
|
||||||
disable_plaintext_auth=yes \
|
disable_plaintext_auth=yes \
|
||||||
"auth_mechanisms=plain login"
|
"auth_mechanisms=plain login"
|
||||||
|
|
||||||
# Generate DH parameters. Will take a long time, so only if they don't exist
|
|
||||||
if [[ ! -f /etc/dovecot/dh.pem ]]; then
|
|
||||||
openssl dhparam -out /etc/dovecot/dh.pem 4096
|
|
||||||
fi
|
|
||||||
|
|
||||||
chown mail:dovecot /etc/dovecot/dh.pem
|
|
||||||
|
|
||||||
# Enable SSL, specify the location of the SSL certificate and private key files.
|
# Enable SSL, specify the location of the SSL certificate and private key files.
|
||||||
# Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1,
|
# Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1,
|
||||||
# except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2.
|
# specify a minimum of TLSv1.2.
|
||||||
tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
||||||
ssl=required \
|
ssl=required \
|
||||||
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
||||||
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
||||||
"ssl_min_protocol=TLSv1.2" \
|
"ssl_min_protocol=TLSv1.2" \
|
||||||
"ssl_prefer_server_ciphers=yes" \
|
"ssl_prefer_server_ciphers=yes" \
|
||||||
"ssl_dh=</etc/dovecot/dh.pem"
|
"ssl_dh=<$STORAGE_ROOT/ssl/dh4096.pem"
|
||||||
|
|
||||||
# Disable in-the-clear IMAP/POP because there is no reason for a user to transmit
|
# Disable in-the-clear IMAP/POP because there is no reason for a user to transmit
|
||||||
# login credentials outside of an encrypted connection. Only the over-TLS versions
|
# login credentials outside of an encrypted connection. Only the over-TLS versions
|
||||||
|
|
|
@ -128,7 +128,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||||
smtpd_tls_auth_only=yes \
|
smtpd_tls_auth_only=yes \
|
||||||
smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
|
smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
|
||||||
smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
|
smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
|
||||||
smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh2048.pem \
|
smtpd_tls_dh1024_param_file=$STORAGE_ROOT/ssl/dh4096.pem \
|
||||||
smtpd_tls_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
|
smtpd_tls_protocols="!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
|
||||||
smtpd_tls_ciphers=medium \
|
smtpd_tls_ciphers=medium \
|
||||||
tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \
|
tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \
|
||||||
|
|
10
setup/ssl.sh
10
setup/ssl.sh
|
@ -28,7 +28,7 @@ source /etc/mailinabox.conf # load global vars
|
||||||
if [ ! -f /usr/bin/openssl ] \
|
if [ ! -f /usr/bin/openssl ] \
|
||||||
|| [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ] \
|
|| [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ] \
|
||||||
|| [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ] \
|
|| [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ] \
|
||||||
|| [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
|
|| [ ! -f $STORAGE_ROOT/ssl/dh4096.pem ]; then
|
||||||
echo "Creating initial SSL certificate and perfect forward secrecy Diffie-Hellman parameters..."
|
echo "Creating initial SSL certificate and perfect forward secrecy Diffie-Hellman parameters..."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -63,7 +63,7 @@ mkdir -p $STORAGE_ROOT/ssl
|
||||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
|
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
|
||||||
# Set the umask so the key file is never world-readable.
|
# Set the umask so the key file is never world-readable.
|
||||||
(umask 077; hide_output \
|
(umask 077; hide_output \
|
||||||
openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
|
openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 4096)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Generate a self-signed SSL certificate because things like nginx, dovecot,
|
# Generate a self-signed SSL certificate because things like nginx, dovecot,
|
||||||
|
@ -92,7 +92,7 @@ fi
|
||||||
|
|
||||||
# Generate some Diffie-Hellman cipher bits.
|
# Generate some Diffie-Hellman cipher bits.
|
||||||
# openssl's default bit length for this is 1024 bits, but we'll create
|
# openssl's default bit length for this is 1024 bits, but we'll create
|
||||||
# 2048 bits of bits per the latest recommendations.
|
# 4096 bits of bits per the latest recommendations.
|
||||||
if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
|
if [ ! -f $STORAGE_ROOT/ssl/dh4096.pem ]; then
|
||||||
openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
|
openssl dhparam -out $STORAGE_ROOT/ssl/dh4096.pem 4096
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -359,7 +359,7 @@ cp -f conf/fail2ban/jail.d/* /etc/fail2ban/jail.d/
|
||||||
# If SSH port is not default, add the not default to the ssh jail
|
# If SSH port is not default, add the not default to the ssh jail
|
||||||
if [ ! -z "$SSH_PORT" ]; then
|
if [ ! -z "$SSH_PORT" ]; then
|
||||||
# create backup copy
|
# create backup copy
|
||||||
cp -f /etc/fail2ban/jail.conf jail.conf.miab_old
|
cp -f /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.miab_old
|
||||||
|
|
||||||
if [ "$SSH_PORT" != "22" ]; then
|
if [ "$SSH_PORT" != "22" ]; then
|
||||||
# Add alternative SSH port
|
# Add alternative SSH port
|
||||||
|
|
Loading…
Reference in New Issue