diff options
Diffstat (limited to 'ansible/roles/dovecot/templates')
-rw-r--r-- | ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 b/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 new file mode 100644 index 0000000..c1654cd --- /dev/null +++ b/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 | |||
@@ -0,0 +1,22 @@ | |||
1 | # require SSL for all non-localhost connections | ||
2 | ssl = required | ||
3 | |||
4 | # Config detials at https://wiki.dovecot.org/SSL/DovecotConfiguration | ||
5 | ssl_cert = </etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem | ||
6 | ssl_key = </etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem | ||
7 | |||
8 | # Since v2.2.31+ you can specify alternative ssl certificate | ||
9 | # if the algorithm differs from the primary certificate. | ||
10 | # This is useful when migrating to e.g. ECDSA certificate. | ||
11 | ssl_alt_cert = </etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem | ||
12 | ssl_alt_key = </etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem | ||
13 | |||
14 | # require modern crypto - taken from Mozilla's SSL recommendations page | ||
15 | ssl_dh_parameters_length = 4096 | ||
16 | ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1 TLSv1.2 | ||
17 | ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | ||
18 | ssl_prefer_server_ciphers = yes | ||
19 | |||
20 | # newer dovecot 2.3+ | ||
21 | #ssl_min_protocol = TLSv1.2 | ||
22 | #ssl_dh = /etc/ssl/ffdhe4096.pem | ||