feat(ssl_tls): updated dovecot and postfix accepted ciphers

used https://ssl-config.mozilla.org/ to generate recommended ciphers config for dovecot and postfix. postfix set to use medium ciphers due to possibility of smtp servers not being updated to latest. MR !9
2022-02-19 10:41:53 +09:30
parent 3741b92606
commit 2a222df778
2 changed files with 6 additions and 1 deletions
--- a/4
+++ b/4
@ -193,10 +193,12 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
  && postconf -e "smtpd_delay_reject = yes" \
  && postconf -e "disable_vrfy_command = yes" \
  # use secure protocols and cyphers
+  # Generated by https://ssl-config.mozilla.org/
+  #&& postconf -e "smtpd_tls_mandatory_ciphers=high" \
  && postconf -e "smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
  && postconf -e "smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
-  && postconf -e "smtpd_tls_mandatory_ciphers=high" \
  && postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
+  && postconf -e "tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" \
     # SPF postfix Settings
  && postconf -e "policyd-spf_time_limit=3600" \
    # Connection defaults to reject where possible/advised
--- a/include/etc/dovecot/conf.d/10-ssl.conf
+++ b/include/etc/dovecot/conf.d/10-ssl.conf
@ -15,3 +15,6 @@ ssl_dh = </certs/dovecot/dh.pem
 ssl_cert = </certs/dovecot/cert.pem
 ssl_key = </certs/dovecot/key.pem

+# Generated by https://ssl-config.mozilla.org/ 
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384