smeserver/smeserver-dovecot
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-14.sme

Browse Source 
- use esmith::ssl to set ciphers and protocol [SME: 12821]
  improve cipher order to get strongers first
  drop SSLv2
This commit is contained in:
Jean-Philippe Pialasse 2025-01-18 15:41:12 -05:00
parent 52e318c808
commit 9e05a63784
4 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
contriborbase
View File

@ -1 +0,0 @@
sme10

4
root/etc/e-smith/db/configuration/migrate/dovecot
View File

@ -7,5 +7,9 @@
foreach my $prope (qw( SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 dh )) { foreach my $prope (qw( SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 dh )) {
$DB->get_prop_and_delete('dovecot', $prope) if (exists $dovecot{$prope}); $DB->get_prop_and_delete('dovecot', $prope) if (exists $dovecot{$prope});
} }
# drop SSLv2 from ssl_min_protocol
foreach my $prope (qw( SSLv2 )) {
$DB->get_prop_and_delete('dovecot', 'ssl_min_protocol') if (exists $dovecot{'ssl_min_protocol'} && $dovecot{'ssl_min_protocol'} eq $prope);
}
} }

8
root/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
View File

@ -2,13 +2,11 @@ ssl = {$OUT .= ( (($imaps{'status'} || 'enabled') eq 'enabled') || (($pops{'stat
ssl_cert = </etc/dovecot/ssl/imapd.pem ssl_cert = </etc/dovecot/ssl/imapd.pem
ssl_key = </etc/dovecot/ssl/imapd.pem ssl_key = </etc/dovecot/ssl/imapd.pem
{ {
use esmith::ssl;
my %protos={SLv3=>1,TLSv1=>1, TLSv1.1=>1, TLSv1.2=>1,TLSv1.3=>1}; my $proto = ( (exists $dovecot{'ssl_min_protocol'} ) && (exists $existingSSLprotos{$dovecot{'ssl_min_protocol'}} ) ) ? $dovecot{'ssl_min_protocol'} : SSLprotoMin();
my $proto = ( (exists $dovecot{'ssl_min_protocol'} ) && (exists $protos{$dovecot{'ssl_min_protocol'}} ) ) ? $dovecot{'ssl_min_protocol'} : 'TLSv1.2';
$OUT .= "ssl_dh=</etc/dovecot/ssl/dhparam.pem\n"; $OUT .= "ssl_dh=</etc/dovecot/ssl/dhparam.pem\n";
$OUT .= "ssl_min_protocol = $proto\n" if ($proto ne ''); $OUT .= "ssl_min_protocol = $proto\n" if ($proto ne '');
$OUT .= "ssl_prefer_server_ciphers = yes\n"; $OUT .= "ssl_prefer_server_ciphers = yes\n";
$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n"; $OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers ). "\n";
} }

7
smeserver-dovecot.spec
View File

@ -1,5 +1,5 @@
%define version 11.0.0 %define version 11.0.0
%define release 13 %define release 14
%define name smeserver-dovecot %define name smeserver-dovecot
@ -41,6 +41,11 @@ Configure the dovecot IMAP server with sieve scripts support,
quota, ACL, extended logging, master user quota, ACL, extended logging, master user
%changelog %changelog
* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-14.sme
- use esmith::ssl to set ciphers and protocol [SME: 12821]
improve cipher order to get strongers first
drop SSLv2
* Mon Oct 21 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 11.0.0-13.sme * Mon Oct 21 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 11.0.0-13.sme
- use INDEXPVT instead of INDEX for shared mailboxes [SME: 12150] - use INDEXPVT instead of INDEX for shared mailboxes [SME: 12150]