diff options
author | Aaron LI <aly@aaronly.me> | 2018-04-18 02:54:25 +0800 |
---|---|---|
committer | Aaron LI <aly@aaronly.me> | 2018-04-18 02:54:25 +0800 |
commit | 2607bc43c314169cabf70d6a92e3ade347d3571c (patch) | |
tree | 29d81944c8cc953e21ae9aeb4d0c0730f9064c5b /roles/mail | |
parent | 551151ebf10aa4bf143d63696d431062c1c7ccfa (diff) | |
download | ansible-dfly-vps-2607bc43c314169cabf70d6a92e3ade347d3571c.tar.bz2 |
mail/dovecot: update config file to dovecot v2.3
Diffstat (limited to 'roles/mail')
-rw-r--r-- | roles/mail/templates/dovecot/dovecot.conf.j2 | 17 |
1 files changed, 3 insertions, 14 deletions
diff --git a/roles/mail/templates/dovecot/dovecot.conf.j2 b/roles/mail/templates/dovecot/dovecot.conf.j2 index 86cb08c..1fde91b 100644 --- a/roles/mail/templates/dovecot/dovecot.conf.j2 +++ b/roles/mail/templates/dovecot/dovecot.conf.j2 @@ -312,15 +312,7 @@ ssl_cert = </usr/local/etc/ssl/acme/{{ mydomain }}/fullchain.pem ssl_key = </usr/local/etc/ssl/acme/private/{{ mydomain }}.pem # DH parameters file. -#ssl_dh = </usr/local/etc/ssl/dhparam4096.pem - -# DH parameters length to use. (version == 2.2) -# -# NOTE: to re-generate DH-parameters, first manually delete current -# parameters: "/var/db/dovecot/ssl-parameters.dat", and then -# restart Dovecot. -# -ssl_dh_parameters_length = 2048 +ssl_dh = </usr/local/etc/ssl/dhparam4096.pem # PEM encoded trusted certificate authority. # Set this only if you intend to use "ssl_verify_client_cert=yes". @@ -337,11 +329,8 @@ ssl_dh_parameters_length = 2048 # "auth_ssl_username_from_cert=yes". #ssl_cert_username_field = commonName -# SSL protocols to use: disable SSL, use TLS only! -ssl_protocols = !SSLv3 !SSLv2 - -# SSL ciphers to use -ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES12 +# Minimal SSL protocol version to accept +ssl_min_protocol = TLSv1.1 # Prefer the server's order of ciphers over client's. ssl_prefer_server_ciphers = yes |