Skip to content
Permalink
Browse files

On new distros you only specify the minimum ssl protocol version Dove…

…cot accepts, defaulting to TLSv1. On old distros disable SSLv2,3 and allow TLSv1.0 or better.
  • Loading branch information...
reixd committed Sep 9, 2019
1 parent 60c9d64 commit a952d52ba09bddd4f8f8ccf12049f6b47d382064
@@ -241,11 +241,13 @@ dovecot_ssl_required: True
# ]]]
# .. envvar:: dovecot_ssl_protocols [[[
#
# SSL ciphers to use
# SSL ciphers to use. On new distros you only specify the minimum ssl
# protocol version Dovecot accepts, defaulting to TLSv1.
# On old distros disable SSLv2,3 and allow TLSv1.0 or better.
dovecot_ssl_protocols: '{{ "!SSLv2 !SSLv3"
if (ansible_distribution_release in
[ "wheezy", "jessie", "precise", "trusty" ])
else "!SSLv3" }}'
else "TLSv1" }}'

# ]]]
# .. envvar:: dovecot_ssl_cipher_list [[[
@@ -28,7 +28,11 @@ ssl_dh_parameters_length = 2048
{% set dovecot_tpl_tls_key_file = dovecot_pki_path + "/" + dovecot_pki_realm + "/" + dovecot_pki_key %}
ssl_cert = <{{ dovecot_tpl_tls_cert_file }}
ssl_key = <{{ dovecot_tpl_tls_key_file }}
{% if (ansible_distribution_release in [ "wheezy", "jessie", "precise", "trusty" ] %}
ssl_protocols = {{ dovecot_ssl_protocols }}
{% else %}
ssl_min_protocol = {{ dovecot_ssl_protocols }}
{% endif %}
ssl_cipher_list = {{ dovecot_ssl_cipher_list }}
{% else %}
ssl = no

0 comments on commit a952d52

Please sign in to comment.
You can’t perform that action at this time.