mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 05:30:45 +00:00
Improve TLS security for Dovecot and Postfix
This commit is contained in:
parent
71214e94a6
commit
a5ce4675d5
@ -1,4 +1,4 @@
|
|||||||
FROM debian:bookworm-slim
|
FROM docker.io/debian:bookworm-slim
|
||||||
ARG VERSION=4.6.1
|
ARG VERSION=4.6.1
|
||||||
|
|
||||||
RUN apt-get update -y && apt-get upgrade -y && \
|
RUN apt-get update -y && apt-get upgrade -y && \
|
||||||
|
@ -80,7 +80,7 @@ protocols = imap
|
|||||||
ssl = yes
|
ssl = yes
|
||||||
ssl_min_protocol = TLSv1.2
|
ssl_min_protocol = TLSv1.2
|
||||||
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
ssl_prefer_server_ciphers = no
|
ssl_prefer_server_ciphers = yes
|
||||||
|
|
||||||
ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}.crt
|
ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}.crt
|
||||||
ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}.key
|
ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}.key
|
||||||
|
@ -185,8 +185,10 @@ smtp_tls_note_starttls_offer = yes
|
|||||||
|
|
||||||
# TLS configuration parameters for incoming connections.
|
# TLS configuration parameters for incoming connections.
|
||||||
smtpd_tls_security_level = may
|
smtpd_tls_security_level = may
|
||||||
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
|
smtpd_tls_mandatory_protocols = >=TLSv1.2
|
||||||
smtpd_tls_mandatory_ciphers = high
|
smtpd_tls_mandatory_ciphers = high
|
||||||
|
smtpd_tls_mandatory_exclude_ciphers = aNULL
|
||||||
|
smtpd_tls_protocols = >=TLSv1.2
|
||||||
smtpd_tls_auth_only = yes
|
smtpd_tls_auth_only = yes
|
||||||
smtpd_helo_required = yes
|
smtpd_helo_required = yes
|
||||||
smtpd_tls_received_header = yes
|
smtpd_tls_received_header = yes
|
||||||
@ -196,6 +198,7 @@ smtpd_tls_loglevel = 1
|
|||||||
# Other TLS configuration parameters.
|
# Other TLS configuration parameters.
|
||||||
tls_random_source = dev:/dev/urandom
|
tls_random_source = dev:/dev/urandom
|
||||||
tls_ssl_options = no_ticket, no_compression
|
tls_ssl_options = no_ticket, no_compression
|
||||||
|
tls_preempt_cipherlist = yes
|
||||||
|
|
||||||
# Certificate file location.
|
# Certificate file location.
|
||||||
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
|
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
|
||||||
|
Loading…
Reference in New Issue
Block a user