initial commit

author: Sam Chudnick <sam@chudnick.com> 2023-07-02 19:04:30 -0400
committer: Sam Chudnick <sam@chudnick.com> 2023-07-02 19:04:30 -0400
commit: 724d877995dfcc10c462a18dcb4ea6c8b60c2d03 (patch)
tree: 270537b8fca585717c1ffa7708e492593f7b2ed5 /roles/dovecot/templates
1 files changed, 20 insertions, 0 deletions
diff --git a/roles/dovecot/templates/10-ssl.conf.j2 b/roles/dovecot/templates/10-ssl.conf.j2
new file mode 100644
index 0000000..8efa1d2
--- /dev/null
+++ b/roles/dovecot/templates/10-ssl.conf.j2
@@ -0,0 +1,20 @@
+# SSL/TLS Configuration
+ssl = required
+ssl_key = "</etc/letsencrypt/live/{{ mail_domain }}/privkey.pem"
+ssl_cert = "</etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem"
+ssl_client_ca_dir = /etc/ssl/certs
+ssl_dh = </usr/share/dovecot/dh.pem
+# Mozilla modern compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS)
+# This is here for future use - Dovecot does not support using only TLSv1.3 right now.
+#ssl_min_protocol = TLSv1.3
+# Ciphers listed here are just for reference, DO NOT uncomment, this is not a valid 
+# openssl cipherlist
+#ssl_cipher_list = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+# Mozilla intermediate compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS)
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE+ECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+ECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:DHE+aRSA+AESGCM:!aNULL:!eNULL
+ssl_prefer_server_ciphers = yes
+ssl_client_require_valid_cert = yes
author	Sam Chudnick <sam@chudnick.com>	2023-07-02 19:04:30 -0400
committer	Sam Chudnick <sam@chudnick.com>	2023-07-02 19:04:30 -0400
commit	724d877995dfcc10c462a18dcb4ea6c8b60c2d03 (patch)
tree	270537b8fca585717c1ffa7708e492593f7b2ed5 /roles/dovecot/templates

diff --git a/roles/dovecot/templates/10-ssl.conf.j2 b/roles/dovecot/templates/10-ssl.conf.j2 new file mode 100644 index 0000000..8efa1d2 --- /dev/null +++ b/roles/dovecot/templates/10-ssl.conf.j2
@@ -0,0 +1,20 @@
	1	# SSL/TLS Configuration
	2	ssl = required
	3	ssl_key = "</etc/letsencrypt/live/{{ mail_domain }}/privkey.pem"
	4	ssl_cert = "</etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem"
	5	ssl_client_ca_dir = /etc/ssl/certs
	6	ssl_dh = </usr/share/dovecot/dh.pem
	7
	8	# Mozilla modern compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS)
	9	# This is here for future use - Dovecot does not support using only TLSv1.3 right now.
	10	#ssl_min_protocol = TLSv1.3
	11	# Ciphers listed here are just for reference, DO NOT uncomment, this is not a valid
	12	# openssl cipherlist
	13	#ssl_cipher_list = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
	14
	15	# Mozilla intermediate compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS)
	16	ssl_min_protocol = TLSv1.2
	17	ssl_cipher_list = ECDHE+ECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+ECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:DHE+aRSA+AESGCM:!aNULL:!eNULL
	18
	19	ssl_prefer_server_ciphers = yes
	20	ssl_client_require_valid_cert = yes