Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Sympl
Sympl
Commits
1319b57a
Commit
1319b57a
authored
Dec 27, 2019
by
Paul Cammish
Browse files
Fixes issue
#275
, improves PCI Compliance
parent
9a917cc0
Changes
5
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
CHANGELOG
View file @
1319b57a
CHANGELOG
---------
2019-12-27
sympl-mail
* Improves default PCI Compliance by disabling TLS1.0
* Fixes dhparam issue with Dovecot
2019-12-16
sympl-core
* Add sympl user to relevant groups on each install.
...
...
mail/debian/changelog
View file @
1319b57a
sympl-mail (10.0.191227.0) stable; urgency=medium
* Improves default PCI Compliance by disabling TLS1.0
* Fixes dhparam issue with Dovecot
-- Paul Cammish <sympl@kelduum.net> Fri, 27 Dec 2019 17:14:17 +0000
sympl-mail (10.0.191004.0) stable; urgency=medium
* Fixes permissions issue with configs
...
...
mail/debian/postinst
View file @
1319b57a
...
...
@@ -22,6 +22,16 @@ if [ ! -f /etc/ssl/private/exim4-dhparams.pem ] ; then
/etc/cron.weekly/sympl-mail
--verbose
fi
if
[
!
-f
/etc/ssl/private/dovecot-dhparams.pem
]
;
then
#
# generate dhparams for Dovecot
#
openssl dhparam
-dsaparam
-out
/etc/ssl/private/dovecot-dhparams.pem 4096
chown
dovecot:dovecot /etc/ssl/private/dovecot-dhparams.pem
chmod
600 /etc/ssl/private/dovecot-dhparams.pem
fi
#
# Configure supplementary groups for clamav and freshclam
#
...
...
mail/dovecot/sympl.d/10-main/51-ssl-cipher-list
View file @
1319b57a
#
# Allow sensible ciphers
.
# Allow sensible ciphers
#
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
#
#
Ban ancient
protocols
too.
#
Allow only safe
protocols
#
ssl_min_protocol = TLSv1
ssl_min_protocol = TLSv1
.1
#
# Prefer our ciphers
#
ssl_prefer_server_ciphers = yes
#
# Use generated phparam file
#
ssl_dh = </etc/ssl/private/dovecot-dhparams.pem
mail/exim4/sympl.d/00-main/50-tls-options
View file @
1319b57a
...
...
@@ -56,8 +56,9 @@ tls_on_connect_ports = 465
# removed unless the connecting port is 25, so ancient remote mail servers
# don't break too badly.
#
tls_require_ciphers = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:PFS:NORMAL:-VERS-SSL3.0:-MD5:-CURVE-SECP192R1:-CURVE-SECP224R1:\
-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
tls_require_ciphers = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:PFS:NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-MD5:\
-CURVE-SECP192R1:-CURVE-SECP224R1:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:\
-CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
${if !eq{$received_port}{25}{:-ARCFOUR-128}}
#
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment