File dovecot-2.3.0-better_ssl_defaults.patch of Package dovecot23
Index: dovecot-2.3.17.1/doc/example-config/conf.d/10-ssl.conf =================================================================== --- dovecot-2.3.17.1.orig/doc/example-config/conf.d/10-ssl.conf +++ dovecot-2.3.17.1/doc/example-config/conf.d/10-ssl.conf @@ -9,8 +9,8 @@ # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/ssl/private/dovecot.crt -ssl_key = </etc/ssl/private/dovecot.pem +#ssl_cert = </etc/ssl/private/dovecot.crt +#ssl_key = </etc/ssl/private/dovecot.pem # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -64,6 +64,7 @@ ssl_key = </etc/ssl/private/dovecot.pem #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH +ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # Colon separated list of elliptic curves to use. Empty value (the default) # means use the defaults from the SSL library. P-521:P-384:P-256 would be an @@ -71,7 +72,7 @@ ssl_key = </etc/ssl/private/dovecot.pem #ssl_curve_list = # Prefer the server's order of ciphers over client's. -#ssl_prefer_server_ciphers = no +ssl_prefer_server_ciphers = yes # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = @@ -80,3 +81,4 @@ ssl_key = </etc/ssl/private/dovecot.pem # compression - Enable compression. # no_ticket - Disable SSL session tickets. #ssl_options = +ssl_options = no_compression Index: dovecot-2.3.17.1/src/lib-master/master-service-ssl-settings.c =================================================================== --- dovecot-2.3.17.1.orig/src/lib-master/master-service-ssl-settings.c +++ dovecot-2.3.17.1/src/lib-master/master-service-ssl-settings.c @@ -49,7 +49,7 @@ static const struct master_service_ssl_s .ssl_client_ca_dir = "", .ssl_client_cert = "", .ssl_client_key = "", - .ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH", + .ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH", .ssl_cipher_suites = "", /* Use TLS library provided value */ .ssl_curve_list = "", .ssl_min_protocol = "TLSv1.2",
