update cipher lists

Dockerfile

@@ -18,7 +18,7 @@ RUN apk --no-cache add \
     inotify-tools-dev
 
 RUN mkdir /tmp/dovecot
-RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.0.tar.gz | tar -xz -C /tmp/dovecot --strip 2
+RUN wget -qO- https://www.dovecot.org/releases/2.3/dovecot-2.3.4.tar.gz | tar -xz -C /tmp/dovecot --strip 2
 
 RUN mkdir /tmp/pigeonhole
 RUN wget -qO- https://pigeonhole.dovecot.org/releases/2.3/dovecot-2.3-pigeonhole-0.5.0.1.tar.gz | tar -xz -C /tmp/pigeonhole --strip 1

README.md

@@ -98,12 +98,12 @@ Name of the certificate domain.
 Length of the Diffie-Helman key in bits.
 
 ## SSL_MIN_PROTOCOL
-- default: TLSv1
+- default: TLSv1.2
 
 Ssl minimum protocol version.
 
 ## SSL_CIPHERLIST
-- default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+- default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 
 Colon seperated list of supported ciphers (`!`disables a cipher).
 

rootfs/etc/confd/templates/10-ssl.conf.tmpl

@@ -2,6 +2,6 @@ ssl = yes
 ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
 ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
 ssl_dh=</etc/ssl/mail/dh.pem
-ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1"}}
+ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1.2"}}
-ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH "}}
+ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}}
 ssl_prefer_server_ciphers = yes