From 2a222df7784e85f13a477c3859ca10709734c199 Mon Sep 17 00:00:00 2001 From: Jon Lockwood Date: Sat, 19 Feb 2022 10:41:53 +0930 Subject: [PATCH] feat(ssl_tls): updated dovecot and postfix accepted ciphers used https://ssl-config.mozilla.org/ to generate recommended ciphers config for dovecot and postfix. postfix set to use medium ciphers due to possibility of smtp servers not being updated to latest. MR !9 --- dockerfile | 4 +++- include/etc/dovecot/conf.d/10-ssl.conf | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/dockerfile b/dockerfile index 3526e3d..44950c2 100644 --- a/dockerfile +++ b/dockerfile @@ -193,10 +193,12 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \ && postconf -e "smtpd_delay_reject = yes" \ && postconf -e "disable_vrfy_command = yes" \ # use secure protocols and cyphers + # Generated by https://ssl-config.mozilla.org/ + #&& postconf -e "smtpd_tls_mandatory_ciphers=high" \ && postconf -e "smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ && postconf -e "smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ - && postconf -e "smtpd_tls_mandatory_ciphers=high" \ && postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \ + && postconf -e "tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \ # SPF postfix Settings && postconf -e "policyd-spf_time_limit=3600" \ # Connection defaults to reject where possible/advised diff --git a/include/etc/dovecot/conf.d/10-ssl.conf b/include/etc/dovecot/conf.d/10-ssl.conf index 2d9812d..9a74efe 100644 --- a/include/etc/dovecot/conf.d/10-ssl.conf +++ b/include/etc/dovecot/conf.d/10-ssl.conf @@ -15,3 +15,6 @@ ssl_dh =