Merge branch 'dovecot_updates' of https://github.com/reixd/debops int…

…o reixd-dovecot_updates
debops · Sep 10, 2019 · 5c3ccf0 · 5c3ccf0
2 parents 803d04a + fce9783
commit 5c3ccf0
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/ansible/roles/debops.dovecot/defaults/main.yml b/ansible/roles/debops.dovecot/defaults/main.yml
@@ -243,11 +243,19 @@ dovecot_ssl_required: True
                                                                    # ]]]
 # .. envvar:: dovecot_ssl_protocols [[[
 #
-# SSL ciphers to use
+# SSL ciphers to use. On new distros you only specify the minimum ssl
+# protocol version Dovecot accepts, defaulting to TLSv1.
+# On old distros disable SSLv2,3 and allow TLSv1.0 or better.
 dovecot_ssl_protocols: '{{ "!SSLv2 !SSLv3"
                            if (ansible_distribution_release in
                                [ "wheezy", "jessie", "precise", "trusty" ])
-                           else "!SSLv3" }}'
+                           else "TLSv1" }}'
+
+                                                                   # ]]]
+# .. envvar:: dovecot_ssl_dh_parameters_length [[[
+#
+# Diffie-Hellman parameters length
+dovecot_ssl_dh_parameters_length: 2048
 
                                                                    # ]]]
 # .. envvar:: dovecot_ssl_cipher_list [[[
@@ -259,7 +267,7 @@ dovecot_ssl_cipher_list: '{{ dovecot_ssl_cipher_list_default }}'
 # .. envvar:: dovecot_ssl_cipher_list_default [[[
 #
 # Default SSL ciphers
-dovecot_ssl_cipher_list_default: 'TLSv1+HIGH:!SSLv2:!EXPORT:!RC4:!aNULL:!eNULL:!3DES:@STRENGTH'
+dovecot_ssl_cipher_list_default: 'ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH'
 
                                                                    # ]]]
 # .. envvar:: dovecot_ssl_cipher_list_better_cypto [[[

diff --git a/ansible/roles/debops.dovecot/templates/etc/dovecot/conf.d/10-ssl.conf.j2 b/ansible/roles/debops.dovecot/templates/etc/dovecot/conf.d/10-ssl.conf.j2
@@ -22,13 +22,17 @@ ssl = yes
 ssl_prefer_server_ciphers = yes
 
 # Diffie-Hellman parameters length (Default is 1024, Dovecot >=2.2.7 Required)
-ssl_dh_parameters_length = 2048
+ssl_dh_parameters_length = {{ dovecot_ssl_dh_parameters_length }}
 
 {% set dovecot_tpl_tls_cert_file    = dovecot_pki_path + "/" + dovecot_pki_realm + "/" + dovecot_pki_crt %}
 {% set dovecot_tpl_tls_key_file     = dovecot_pki_path + "/" + dovecot_pki_realm + "/" + dovecot_pki_key %}
 ssl_cert    = <{{ dovecot_tpl_tls_cert_file }}
 ssl_key     = <{{ dovecot_tpl_tls_key_file }}
+{% if (ansible_distribution_release in [ "wheezy", "jessie", "precise", "trusty" ] %}
 ssl_protocols   = {{ dovecot_ssl_protocols }}
+{% else %}
+ssl_min_protocol = {{ dovecot_ssl_protocols }}
+{% endif %}
 ssl_cipher_list = {{ dovecot_ssl_cipher_list }}
 {% else %}
 ssl = no