Fixes issue #275, improves PCI Compliance

1319b57a · Paul Cammish · 9a917cc0 · 1319b57a · 1319b57a · 1319b57a
Commit 1319b57a authored Dec 27, 2019 by Paul Cammish
--- a/CHANGELOG
+++ b/CHANGELOG
 CHANGELOG
 ---------

+2019-12-27
+  sympl-mail
+    * Improves default PCI Compliance by disabling TLS1.0
+    * Fixes dhparam issue with Dovecot
+
 2019-12-16
  sympl-core
    * Add sympl user to relevant groups on each install.

--- a/mail/debian/changelog
+++ b/mail/debian/changelog
+sympl-mail (10.0.191227.0) stable; urgency=medium
+
+  * Improves default PCI Compliance by disabling TLS1.0
+  * Fixes dhparam issue with Dovecot
+
+ -- Paul Cammish <sympl@kelduum.net>  Fri, 27 Dec 2019 17:14:17 +0000
+
 sympl-mail (10.0.191004.0) stable; urgency=medium

  * Fixes permissions issue with configs

--- a/mail/debian/postinst
+++ b/mail/debian/postinst
@@ -22,6 +22,16 @@ if [ ! -f /etc/ssl/private/exim4-dhparams.pem ] ; then
  /etc/cron.weekly/sympl-mail --verbose
 fi

+if [ ! -f /etc/ssl/private/dovecot-dhparams.pem ] ; then
+  #
+  # generate dhparams for Dovecot
+  #
+  openssl dhparam -dsaparam -out /etc/ssl/private/dovecot-dhparams.pem 4096
+  chown dovecot:dovecot /etc/ssl/private/dovecot-dhparams.pem
+  chmod 600 /etc/ssl/private/dovecot-dhparams.pem
+fi
+  
+
 #
 # Configure supplementary groups for clamav and freshclam
 #

--- a/mail/dovecot/sympl.d/10-main/51-ssl-cipher-list
+++ b/mail/dovecot/sympl.d/10-main/51-ssl-cipher-list
 #
-# Allow sensible ciphers.
+# Allow sensible ciphers
 #
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

 #
-# Ban ancient protocols too.
+# Allow only safe protocols
 #
-ssl_min_protocol = TLSv1
+ssl_min_protocol = TLSv1.1

 #
 # Prefer our ciphers
 #
 ssl_prefer_server_ciphers = yes

+#
+# Use generated phparam file
+#
+ssl_dh = </etc/ssl/private/dovecot-dhparams.pem
--- a/mail/exim4/sympl.d/00-main/50-tls-options
+++ b/mail/exim4/sympl.d/00-main/50-tls-options
@@ -56,8 +56,9 @@ tls_on_connect_ports = 465
 # removed unless the connecting port is 25, so ancient remote mail servers
 # don't break too badly.
 #
-tls_require_ciphers  = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:PFS:NORMAL:-VERS-SSL3.0:-MD5:-CURVE-SECP192R1:-CURVE-SECP224R1:\
-                       -CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
+tls_require_ciphers  = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:PFS:NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-MD5:\
+                       -CURVE-SECP192R1:-CURVE-SECP224R1:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:\
+                       -CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
                       ${if !eq{$received_port}{25}{:-ARCFOUR-128}}

 #