Update: Practical recommendations - MailServers: CipherStrings matching old CipherStr...
authorGunnar Haslinger <gh.github@hitco.at>
Sat, 7 Nov 2015 15:20:45 +0000 (16:20 +0100)
committerGunnar Haslinger <gh.github@hitco.at>
Sat, 7 Nov 2015 15:20:45 +0000 (16:20 +0100)
src/configuration/MailServers/Dovecot/10-ssl.conf
src/configuration/MailServers/Postfix/main.cf
src/configuration/MailServers/cyrus-imapd/imapd.conf

index 6f9a69e..d828972 100644 (file)
@@ -49,7 +49,7 @@ ssl_key = </etc/dovecot/private/dovecot.pem
 ssl_protocols = !SSLv3 !SSLv2
 
 # SSL ciphers to use
-ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 
 # Prefer the server's order of ciphers over client's. (Dovecot >=2.2.6 Required) 
 ssl_prefer_server_ciphers = yes
index 15aede5..cd7b9b0 100644 (file)
@@ -34,7 +34,7 @@ tls_ssl_options = NO_COMPRESSION
 
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtpd_tls_mandatory_ciphers=high
-tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 smtpd_tls_eecdh_grade=ultra
 
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
index f60586d..12fe2be 100644 (file)
@@ -260,7 +260,7 @@ tls_session_timeout: 1440
 # selects TLSv1 high-security ciphers only, and removes all anonymous ciphers
 # from the list (because they provide no defense against man-in-the-middle
 # attacks).  It also orders the list so that stronger ciphers come first.
-tls_cipher_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+tls_cipher_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 
 # Require a client certificate for ALL services (imap, pop3, lmtp, sieve).
 #tls_require_cert: false