deuill/coreos-home-server
1
0
Fork 0
mirror of https://github.com/deuill/coreos-home-server.git synced 2024-09-21 05:30:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve TLS security for Dovecot and Postfix

Browse Source
This commit is contained in:
Alex Palaistras 2023-10-21 17:19:35 +01:00
parent 71214e94a6
commit a5ce4675d5
3 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
service/coturn/Containerfile
View File

@ -1,4 +1,4 @@
FROM debian:bookworm-slim FROM docker.io/debian:bookworm-slim
ARG VERSION=4.6.1 ARG VERSION=4.6.1
RUN apt-get update -y && apt-get upgrade -y && \ RUN apt-get update -y && apt-get upgrade -y && \

2
service/dovecot/container/config/dovecot.conf.template
View File

@ -80,7 +80,7 @@ protocols = imap
ssl = yes ssl = yes
ssl_min_protocol = TLSv1.2 ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no ssl_prefer_server_ciphers = yes
ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}.crt ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}.crt
ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}.key ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}.key

5
service/postfix/container/config/main.cf.template
View File

@ -185,8 +185,10 @@ smtp_tls_note_starttls_offer = yes
# TLS configuration parameters for incoming connections. # TLS configuration parameters for incoming connections.
smtpd_tls_security_level = may smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_auth_only = yes smtpd_tls_auth_only = yes
smtpd_helo_required = yes smtpd_helo_required = yes
smtpd_tls_received_header = yes smtpd_tls_received_header = yes
@ -196,6 +198,7 @@ smtpd_tls_loglevel = 1
# Other TLS configuration parameters. # Other TLS configuration parameters.
tls_random_source = dev:/dev/urandom tls_random_source = dev:/dev/urandom
tls_ssl_options = no_ticket, no_compression tls_ssl_options = no_ticket, no_compression
tls_preempt_cipherlist = yes
# Certificate file location. # Certificate file location.
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt