diff options
Diffstat (limited to 'roles/dovecot/templates')
-rw-r--r-- | roles/dovecot/templates/10-ssl.conf.j2 | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/roles/dovecot/templates/10-ssl.conf.j2 b/roles/dovecot/templates/10-ssl.conf.j2 new file mode 100644 index 0000000..8efa1d2 --- /dev/null +++ b/roles/dovecot/templates/10-ssl.conf.j2 | |||
@@ -0,0 +1,20 @@ | |||
1 | # SSL/TLS Configuration | ||
2 | ssl = required | ||
3 | ssl_key = "</etc/letsencrypt/live/{{ mail_domain }}/privkey.pem" | ||
4 | ssl_cert = "</etc/letsencrypt/live/{{ mail_domain }}/fullchain.pem" | ||
5 | ssl_client_ca_dir = /etc/ssl/certs | ||
6 | ssl_dh = </usr/share/dovecot/dh.pem | ||
7 | |||
8 | # Mozilla modern compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS) | ||
9 | # This is here for future use - Dovecot does not support using only TLSv1.3 right now. | ||
10 | #ssl_min_protocol = TLSv1.3 | ||
11 | # Ciphers listed here are just for reference, DO NOT uncomment, this is not a valid | ||
12 | # openssl cipherlist | ||
13 | #ssl_cipher_list = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 | ||
14 | |||
15 | # Mozilla intermediate compatibility (https://wiki.mozilla.org/Security/Server_Side_TLS) | ||
16 | ssl_min_protocol = TLSv1.2 | ||
17 | ssl_cipher_list = ECDHE+ECDSA+AESGCM:ECDHE+aRSA+AESGCM:ECDHE+ECDSA+CHACHA20:ECDHE+aRSA+CHACHA20:DHE+aRSA+AESGCM:!aNULL:!eNULL | ||
18 | |||
19 | ssl_prefer_server_ciphers = yes | ||
20 | ssl_client_require_valid_cert = yes | ||