Allow clients to choose own ciphers

This changes a previously updated default in Dovecot and Postfix, as it resulted in too many issues in older clients.
2024-09-21 05:30:45 +00:00 · 2023-10-30 22:16:00 +00:00 · 2023-10-30 22:16:00 +00:00 · 5163fd4da0
commit 5163fd4da0
parent 9aec143bbd
2 changed files with 2 additions and 2 deletions
--- a/service/dovecot/container/config/dovecot.conf.template
+++ b/service/dovecot/container/config/dovecot.conf.template
@ -80,7 +80,7 @@ protocols = imap
 ssl = yes
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-ssl_prefer_server_ciphers = yes
+ssl_prefer_server_ciphers = no

 ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}.crt
 ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}.key
--- a/service/postfix/container/config/main.cf.template
+++ b/service/postfix/container/config/main.cf.template
@ -199,7 +199,7 @@ smtpd_tls_loglevel = 1
 # Other TLS configuration parameters.
 tls_random_source = dev:/dev/urandom
 tls_ssl_options = no_ticket, no_compression
-tls_preempt_cipherlist = yes
+tls_preempt_cipherlist = no

 # Certificate file location.
 smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt