Loading conf.d/10-ssl.conf +26 −40 Original line number Diff line number Diff line Loading @@ -2,29 +2,36 @@ ## SSL settings ## # SSL/TLS upport: yes, no, required. <doc/wiki/SSL.txt> # SSL/TLS support: yes, no, required. <https://doc.dovecot.org/latest/core/config/ssl.html> ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf # PEM encoded X.509 SSL/TLS certificate and private key. By default, Debian # installs a self-signed certificate. This is useful for testing, but you # should obtain a real certificate from a recognized certificate authority. # # These files are opened before dropping root privileges, so keep the key file # unreadable by anyone but root. Included /usr/share/dovecot/mkcert.sh can be # used to easily generate self-signed certificate, just make sure to update the # domains in dovecot-openssl.cnf # # Preferred permissions: root:root 0444 ssl_server_cert_file = /etc/letsencrypt/archive/yourdomain.com/cert.pem # Preferred permissions: root:root 0400 ssl_server_key_file = /etc/letsencrypt/archive/yourdomain.com/privkey.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = #ssl_server_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # ssl_request_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_server_ca_file = /etc/ssl/certs/ca.pem) #ssl_server_ca_file = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes #ssl_server_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend or Loading @@ -41,43 +48,22 @@ ssl_client_ca_dir = /etc/ssl/certs # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no #ssl_server_request_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName #ssl_server_cert_username_field = commonName # SSL DH parameters # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` # Or migrate from old ssl-parameters.dat file with the command dovecot # gives on startup when ssl_dh is unset. ssl_server_dh_file = /usr/share/dovecot/dh.pem # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used. # # Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol # version, and LATEST matches with the latest version supported by library. # SSL protocols to use. Debian systems specify TLSv1.2 by default, which should # be reasonbly secure and compatible with existing clients. # ssl_min_protocol = TLSv1.2 # Diffie-Hellman parameters are no longer required and should be phased out. # They do not work with ECDH(E) and require DH(E) ciphers. ssl_server_dh_file = /usr/share/dovecot/dh.pem # SSL ciphers to use, the default is: # SSL ciphers to use ssl_cipher_list = ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:DH+AES256:!aNULL:!MD5:!DSS:!eNULL:!ADH:!EXP:!LOW:!PSK:!SRP:!RC4 # To disable non-EC DH, use: #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # Colon separated list of elliptic curves to use. Empty value (the default) # means use the defaults from the SSL library. P-521:P-384:P-256 would be an # example of a valid value. #ssl_curve_list = # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = yes # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: # compression - Enable compression. # no_ticket - Disable SSL session tickets. #ssl_options = #ssl_crypto_device = /dev/crypto Loading
conf.d/10-ssl.conf +26 −40 Original line number Diff line number Diff line Loading @@ -2,29 +2,36 @@ ## SSL settings ## # SSL/TLS upport: yes, no, required. <doc/wiki/SSL.txt> # SSL/TLS support: yes, no, required. <https://doc.dovecot.org/latest/core/config/ssl.html> ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf # PEM encoded X.509 SSL/TLS certificate and private key. By default, Debian # installs a self-signed certificate. This is useful for testing, but you # should obtain a real certificate from a recognized certificate authority. # # These files are opened before dropping root privileges, so keep the key file # unreadable by anyone but root. Included /usr/share/dovecot/mkcert.sh can be # used to easily generate self-signed certificate, just make sure to update the # domains in dovecot-openssl.cnf # # Preferred permissions: root:root 0444 ssl_server_cert_file = /etc/letsencrypt/archive/yourdomain.com/cert.pem # Preferred permissions: root:root 0400 ssl_server_key_file = /etc/letsencrypt/archive/yourdomain.com/privkey.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = #ssl_server_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # ssl_request_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_server_ca_file = /etc/ssl/certs/ca.pem) #ssl_server_ca_file = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes #ssl_server_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend or Loading @@ -41,43 +48,22 @@ ssl_client_ca_dir = /etc/ssl/certs # Request client to send a certificate. If you also want to require it, set # auth_ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no #ssl_server_request_client_cert = no # Which field from certificate to use for username. commonName and # x500UniqueIdentifier are the usual choices. You'll also need to set # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName #ssl_server_cert_username_field = commonName # SSL DH parameters # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` # Or migrate from old ssl-parameters.dat file with the command dovecot # gives on startup when ssl_dh is unset. ssl_server_dh_file = /usr/share/dovecot/dh.pem # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used. # # Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol # version, and LATEST matches with the latest version supported by library. # SSL protocols to use. Debian systems specify TLSv1.2 by default, which should # be reasonbly secure and compatible with existing clients. # ssl_min_protocol = TLSv1.2 # Diffie-Hellman parameters are no longer required and should be phased out. # They do not work with ECDH(E) and require DH(E) ciphers. ssl_server_dh_file = /usr/share/dovecot/dh.pem # SSL ciphers to use, the default is: # SSL ciphers to use ssl_cipher_list = ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:DH+AES256:!aNULL:!MD5:!DSS:!eNULL:!ADH:!EXP:!LOW:!PSK:!SRP:!RC4 # To disable non-EC DH, use: #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # Colon separated list of elliptic curves to use. Empty value (the default) # means use the defaults from the SSL library. P-521:P-384:P-256 would be an # example of a valid value. #ssl_curve_list = # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = yes # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: # compression - Enable compression. # no_ticket - Disable SSL session tickets. #ssl_options = #ssl_crypto_device = /dev/crypto
