summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/dovecot/templates')
-rw-r--r--ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j222
1 files changed, 22 insertions, 0 deletions
diff --git a/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2 b/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2
new file mode 100644
index 0000000..c1654cd
--- /dev/null
+++ b/ansible/roles/dovecot/templates/dovecot/conf.d/10-ssl.conf.j2
@@ -0,0 +1,22 @@
1# require SSL for all non-localhost connections
2ssl = required
3
4# Config detials at https://wiki.dovecot.org/SSL/DovecotConfiguration
5ssl_cert = </etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem
6ssl_key = </etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem
7
8# Since v2.2.31+ you can specify alternative ssl certificate
9# if the algorithm differs from the primary certificate.
10# This is useful when migrating to e.g. ECDSA certificate.
11ssl_alt_cert = </etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem
12ssl_alt_key = </etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem
13
14# require modern crypto - taken from Mozilla's SSL recommendations page
15ssl_dh_parameters_length = 4096
16ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1 TLSv1.2
17ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
18ssl_prefer_server_ciphers = yes
19
20# newer dovecot 2.3+
21#ssl_min_protocol = TLSv1.2
22#ssl_dh = /etc/ssl/ffdhe4096.pem
Powered by cgit v1.2.3 (git 2.41.0)