From f6450c1cae4d54385b88d6d99b83fdf36bb34181 Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Sat, 31 Jul 2021 21:43:25 +0200 Subject: [PATCH] update obsolete settings --- setup/mail-dovecot.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index b50e28d5..63810c50 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -77,6 +77,13 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ disable_plaintext_auth=yes \ "auth_mechanisms=plain login" +# Generate DH parameters. Will take a long time, so only if they don't exist +if [[ ! -f /etc/dovecot/dh.pem ]]; then + openssl dhparam -out /etc/dovecot/dh.pem 4096 +fi + +chown mail:dovecot /etc/dovecot/dh.pem + # Enable SSL, specify the location of the SSL certificate and private key files. # Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1, # except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2. @@ -84,10 +91,9 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ ssl=required \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ - "ssl_protocols=TLSv1.2" \ - "ssl_cipher_list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ - "ssl_prefer_server_ciphers=no" \ - "ssl_dh_parameters_length=2048" + "ssl_min_protocol=TLSv1.2" \ + "ssl_prefer_server_ciphers=yes" \ + "ssl_dh=