upgarde settings to dovecot 2.3

README.md

@@ -96,16 +96,19 @@ Name of the certificate domain.
 
 Length of the Diffie-Helman key in bits.
 
-## SSL_PROTOCOLS
+## SSL_MIN_PROTOCOL
-- default: !SSLv2 !SSLv3
+- default: TLSv1
 
-Space seperated list of allowed ssl protocols (`!`disables a protocol).
+Ssl minimum protocol version.
 
 ## SSL_CIPHERLIST
-- default: ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM
+- default: ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
 
 Colon seperated list of supported ciphers (`!`disables a cipher).
 
+Go [here](https://www.openssl.org/docs/manmaster/man1/ciphers.html) for a list
+of ciphers.
+
 ## IMAP_MAX_USER_CONNECTIONS
 - default: 10
 

rootfs/etc/confd/templates/10-ssl.conf.tmpl

@@ -1,7 +1,8 @@
 ssl = yes
 ssl_cert = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.crt
 ssl_key = </etc/ssl/mail/{{ getenv "CERT_DOMAIN"}}.key
+ssl_dh=</etc/ssl/mail/dh.pem
 ssl_dh_parameters_length = {{getenv "SSL_DH_LENGTH" "2048"}}
-ssl_protocols = {{getenv "SSL_PROTOCOLS" "!SSLv2 !SSLv3"}}
+ssl_min_protocol = {{getenv "SSL_MIN_PROTOCOL" "TLSv1"}}
-ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!ADH:!LOW:!SSLv2:!EXP:!aNULL:!RC4:+HIGH:+MEDIUM"}}
+ssl_cipher_list = {{getenv "SSL_CIPHERLIST" "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH "}}
 ssl_prefer_server_ciphers = yes