From a5ce4675d5d93f1105aef77ed2d584d7c4e7e4a6 Mon Sep 17 00:00:00 2001 From: Alex Palaistras Date: Sat, 21 Oct 2023 17:19:35 +0100 Subject: [PATCH] Improve TLS security for Dovecot and Postfix --- service/coturn/Containerfile | 2 +- service/dovecot/container/config/dovecot.conf.template | 2 +- service/postfix/container/config/main.cf.template | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/service/coturn/Containerfile b/service/coturn/Containerfile index aeb0c05..f38b08d 100644 --- a/service/coturn/Containerfile +++ b/service/coturn/Containerfile @@ -1,4 +1,4 @@ -FROM debian:bookworm-slim +FROM docker.io/debian:bookworm-slim ARG VERSION=4.6.1 RUN apt-get update -y && apt-get upgrade -y && \ diff --git a/service/dovecot/container/config/dovecot.conf.template b/service/dovecot/container/config/dovecot.conf.template index 62b8665..7898f2c 100644 --- a/service/dovecot/container/config/dovecot.conf.template +++ b/service/dovecot/container/config/dovecot.conf.template @@ -80,7 +80,7 @@ protocols = imap ssl = yes ssl_min_protocol = TLSv1.2 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 -ssl_prefer_server_ciphers = no +ssl_prefer_server_ciphers = yes ssl_cert = =TLSv1.2 smtpd_tls_mandatory_ciphers = high +smtpd_tls_mandatory_exclude_ciphers = aNULL +smtpd_tls_protocols = >=TLSv1.2 smtpd_tls_auth_only = yes smtpd_helo_required = yes smtpd_tls_received_header = yes @@ -196,6 +198,7 @@ smtpd_tls_loglevel = 1 # Other TLS configuration parameters. tls_random_source = dev:/dev/urandom tls_ssl_options = no_ticket, no_compression +tls_preempt_cipherlist = yes # Certificate file location. smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt