From ef2dab732cb5f2e63563b2108e5e525997da7966 Mon Sep 17 00:00:00 2001
From: Sebastian Hugentobler <sebastian@vanwa.ch>
Date: Fri, 16 Feb 2018 09:33:18 +0100
Subject: [PATCH] upgarde settings to dovecot 2.3

---
 README.md                                   | 11 +++++++----
 rootfs/etc/confd/templates/10-ssl.conf.tmpl |  5 +++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index d99c1d5..b752132 100644
--- a/README.md
+++ b/README.md
@@ -96,16 +96,19 @@ Name of the certificate domain.
 
 Length of the Diffie-Helman key in bits.
 
-## SSL_PROTOCOLS
-- default: !SSLv2 !SSLv3
+## SSL_MIN_PROTOCOL
+- default: TLSv1
 
-Space seperated list of allowed ssl protocols (`!`disables a protocol).
+Ssl minimum protocol version.
 
 ## SSL_CIPHERLIST
-- default: ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM
+- default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 
 Colon seperated list of supported ciphers (`!`disables a cipher).
 
+Go [here](https://www.openssl.org/docs/manmaster/man1/ciphers.html) for a list
+of ciphers.
+
 ## IMAP_MAX_USER_CONNECTIONS
 - default: 10
 
diff --git a/rootfs/etc/confd/templates/10-ssl.conf.tmpl b/rootfs/etc/confd/templates/10-ssl.conf.tmpl
index 3d11a67..013574f 100644
--- a/rootfs/etc/confd/templates/10-ssl.conf.tmpl
+++ b/rootfs/etc/confd/templates/10-ssl.conf.tmpl
@@ -1,7 +1,8 @@
 ssl = yes
 ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
 ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
+ssl_dh=</etc/ssl/mail/dh.pem
 ssl_dh_parameters_length = {{getenv "SSL_DH_LENGTH" "2048"}}
-ssl_protocols = {{getenv "SSL_PROTOCOLS" "!SSLv2 !SSLv3"}}
-ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM"}}
+ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1"}}
+ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH "}}
 ssl_prefer_server_ciphers = yes