diff options
| author | Luke Smith <luke@lukesmith.xyz> | 2020-11-30 18:55:57 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-11-30 18:55:57 -0500 |
| commit | 41083d5ca4187b3d941aff6f7d6019810a6f85bb (patch) | |
| tree | 8d89af5f8561055600ece6bf7ba3c467f102ab0b | |
| parent | 9a61a69c0fbd82db35f40513ca7c09344f8886b7 (diff) | |
| parent | 24aa38ec12a0a426bad4268f36097c79bcb920bd (diff) | |
Merge pull request #49 from Mqr10/master
Enforce TLS1.2 connections
| -rwxr-xr-x | emailwiz.sh | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/emailwiz.sh b/emailwiz.sh index 20685ea..444f6c3 100755 --- a/emailwiz.sh +++ b/emailwiz.sh @@ -66,6 +66,15 @@ postconf -e "smtpd_use_tls = yes" postconf -e "smtpd_tls_auth_only = yes" postconf -e "smtp_tls_security_level = may" postconf -e "smtp_tls_loglevel = 1" +postconf -e "smtp_tls_CAfile=$certdir/cert.pem" +postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "tls_preempt_cipherlist = yes" +postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, + DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, + RSA+AES, eNULL" # Here we tell Postfix to look to Dovecot for authenticating users/passwords. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth @@ -127,6 +136,9 @@ echo "# Dovecot config ssl = required ssl_cert = <$certdir/fullchain.pem ssl_key = <$certdir/privkey.pem +ssl_min_protocol = TLSv1.2 +ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH +ssl_prefer_server_ciphers = yes ssl_dh = </usr/share/dovecot/dh.pem # Plaintext login. This is safe and easy thanks to SSL. auth_mechanisms = plain login |