update cipher lists

This commit is contained in:
Sebastian Hugentobler 2019-02-18 13:30:33 +01:00
parent c6e51bfd05
commit 6b032be7a4
3 changed files with 5 additions and 5 deletions

View File

@ -18,7 +18,7 @@ RUN apk --no-cache add \
inotify-tools-dev
RUN mkdir /tmp/dovecot
RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.0.tar.gz | tar -xz -C /tmp/dovecot --strip 2
RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.4.tar.gz | tar -xz -C /tmp/dovecot --strip 2
RUN mkdir /tmp/pigeonhole
RUN wget -qO- https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz | tar -xz -C /tmp/pigeonhole --strip 1

View File

@ -98,12 +98,12 @@ Name of the certificate domain.
Length of the Diffie-Helman key in bits.
## SSL_MIN_PROTOCOL
- default: TLSv1
- default: TLSv1.2
Ssl minimum protocol version.
## SSL_CIPHERLIST
- default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
- default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Colon seperated list of supported ciphers (`!`disables a cipher).

View File

@ -2,6 +2,6 @@ ssl = yes
ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
ssl_dh=</etc/ssl/mail/dh.pem
ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1"}}
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH "}}
ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1.2"}}
ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}}
ssl_prefer_server_ciphers = yes