aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-04-18 02:54:25 +0800
committerAaron LI <aly@aaronly.me>2018-04-18 02:54:25 +0800
commit2607bc43c314169cabf70d6a92e3ade347d3571c (patch)
tree29d81944c8cc953e21ae9aeb4d0c0730f9064c5b /roles
parent551151ebf10aa4bf143d63696d431062c1c7ccfa (diff)
downloadansible-dfly-vps-2607bc43c314169cabf70d6a92e3ade347d3571c.tar.bz2
mail/dovecot: update config file to dovecot v2.3
Diffstat (limited to 'roles')
-rw-r--r--roles/mail/templates/dovecot/dovecot.conf.j217
1 files changed, 3 insertions, 14 deletions
diff --git a/roles/mail/templates/dovecot/dovecot.conf.j2 b/roles/mail/templates/dovecot/dovecot.conf.j2
index 86cb08c..1fde91b 100644
--- a/roles/mail/templates/dovecot/dovecot.conf.j2
+++ b/roles/mail/templates/dovecot/dovecot.conf.j2
@@ -312,15 +312,7 @@ ssl_cert = </usr/local/etc/ssl/acme/{{ mydomain }}/fullchain.pem
ssl_key = </usr/local/etc/ssl/acme/private/{{ mydomain }}.pem
# DH parameters file.
-#ssl_dh = </usr/local/etc/ssl/dhparam4096.pem
-
-# DH parameters length to use. (version == 2.2)
-#
-# NOTE: to re-generate DH-parameters, first manually delete current
-# parameters: "/var/db/dovecot/ssl-parameters.dat", and then
-# restart Dovecot.
-#
-ssl_dh_parameters_length = 2048
+ssl_dh = </usr/local/etc/ssl/dhparam4096.pem
# PEM encoded trusted certificate authority.
# Set this only if you intend to use "ssl_verify_client_cert=yes".
@@ -337,11 +329,8 @@ ssl_dh_parameters_length = 2048
# "auth_ssl_username_from_cert=yes".
#ssl_cert_username_field = commonName
-# SSL protocols to use: disable SSL, use TLS only!
-ssl_protocols = !SSLv3 !SSLv2
-
-# SSL ciphers to use
-ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES12
+# Minimal SSL protocol version to accept
+ssl_min_protocol = TLSv1.1
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes