2021-12-16 09:56:12 +01:00
|
|
|
Index: dovecot-2.3.17.1/doc/example-config/conf.d/10-ssl.conf
|
|
|
|
===================================================================
|
|
|
|
--- dovecot-2.3.17.1.orig/doc/example-config/conf.d/10-ssl.conf
|
|
|
|
+++ dovecot-2.3.17.1/doc/example-config/conf.d/10-ssl.conf
|
2017-12-24 03:20:56 +01:00
|
|
|
@@ -9,8 +9,8 @@
|
|
|
|
# dropping root privileges, so keep the key file unreadable by anyone but
|
|
|
|
# root. Included doc/mkcert.sh can be used to easily generate self-signed
|
|
|
|
# certificate, just make sure to update the domains in dovecot-openssl.cnf
|
2022-02-03 13:40:28 +01:00
|
|
|
-ssl_cert = </etc/ssl/private/dovecot.crt
|
2017-12-24 03:20:56 +01:00
|
|
|
-ssl_key = </etc/ssl/private/dovecot.pem
|
2022-02-03 13:40:28 +01:00
|
|
|
+#ssl_cert = </etc/ssl/private/dovecot.crt
|
2017-12-24 03:20:56 +01:00
|
|
|
+#ssl_key = </etc/ssl/private/dovecot.pem
|
|
|
|
|
|
|
|
# If key file is password protected, give the password here. Alternatively
|
|
|
|
# give it when starting dovecot with -p parameter. Since this file is often
|
2021-12-16 09:56:12 +01:00
|
|
|
@@ -64,6 +64,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
|
2017-12-24 03:20:56 +01:00
|
|
|
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
|
|
|
# To disable non-EC DH, use:
|
|
|
|
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
|
|
|
+ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
|
|
|
|
|
|
|
|
# Colon separated list of elliptic curves to use. Empty value (the default)
|
|
|
|
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
|
2021-12-16 09:56:12 +01:00
|
|
|
@@ -71,7 +72,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
|
2021-06-21 19:08:49 +02:00
|
|
|
#ssl_curve_list =
|
2017-12-24 03:20:56 +01:00
|
|
|
|
|
|
|
# Prefer the server's order of ciphers over client's.
|
2021-06-21 19:08:49 +02:00
|
|
|
-#ssl_prefer_server_ciphers = no
|
2017-12-24 03:20:56 +01:00
|
|
|
+ssl_prefer_server_ciphers = yes
|
|
|
|
|
|
|
|
# SSL crypto device to use, for valid values run "openssl engine"
|
|
|
|
#ssl_crypto_device =
|
2021-12-16 09:56:12 +01:00
|
|
|
@@ -80,3 +81,4 @@ ssl_key = </etc/ssl/private/dovecot.pem
|
2017-12-24 03:20:56 +01:00
|
|
|
# compression - Enable compression.
|
|
|
|
# no_ticket - Disable SSL session tickets.
|
|
|
|
#ssl_options =
|
|
|
|
+ssl_options = no_compression
|
2021-12-16 09:56:12 +01:00
|
|
|
Index: dovecot-2.3.17.1/src/lib-master/master-service-ssl-settings.c
|
|
|
|
===================================================================
|
|
|
|
--- dovecot-2.3.17.1.orig/src/lib-master/master-service-ssl-settings.c
|
|
|
|
+++ dovecot-2.3.17.1/src/lib-master/master-service-ssl-settings.c
|
|
|
|
@@ -49,7 +49,7 @@ static const struct master_service_ssl_s
|
2021-12-08 03:44:45 +01:00
|
|
|
.ssl_client_ca_dir = "",
|
2018-06-30 22:12:10 +02:00
|
|
|
.ssl_client_cert = "",
|
|
|
|
.ssl_client_key = "",
|
2017-12-24 03:20:56 +01:00
|
|
|
- .ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
|
|
|
|
+ .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
|
2021-06-21 19:08:49 +02:00
|
|
|
.ssl_cipher_suites = "", /* Use TLS library provided value */
|
2017-12-24 03:20:56 +01:00
|
|
|
.ssl_curve_list = "",
|
2021-06-21 19:08:49 +02:00
|
|
|
.ssl_min_protocol = "TLSv1.2",
|