WIP: dovecot 2.4 support

2025-09-16 09:43:18 +02:00
parent e56868072f
commit 4b0c9e4376
38 changed files with 1737 additions and 31 deletions
--- a/modoboa_installer/scripts/files/dovecot/2.4/conf.d/10-ssl.conf.tpl
+++ b/modoboa_installer/scripts/files/dovecot/2.4/conf.d/10-ssl.conf.tpl
@@ -0,0 +1,59 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <https://doc.dovecot.org/latest/core/config/ssl.html>
+ssl = yes
+
+# PEM encoded X.509 SSL/TLS certificate and private key.  By default, Debian
+# installs a self-signed certificate.  This is useful for testing, but you
+# should obtain a real certificate from a recognized certificate authority.
+#
+# These files are opened before dropping root privileges, so keep the key file
+# unreadable by anyone but root. Included /usr/share/dovecot/mkcert.sh can be
+# used to easily generate self-signed certificate, just make sure to update the
+# domains in dovecot-openssl.cnf
+# 
+# Preferred permissions: root:root 0444
+# ssl_server_cert_file = /etc/dovecot/private/dovecot.pem
+# Preferred permissions: root:root 0400
+# ssl_server_key_file = /etc/dovecot/private/dovecot.key
+!include_try /etc/dovecot/conf.d/10-ssl-keys.try
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_server_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_request_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_server_ca_file = /etc/ssl/certs/ca.pem)
+#ssl_server_ca_file = 
+
+# Require that CRL check succeeds for client certificates.
+#ssl_server_require_crl = yes
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_server_request_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_server_cert_username_field = commonName
+
+# SSL protocols to use.  Debian systems specify TLSv1.2 by default, which should
+# be reasonbly secure and compatible with existing clients.
+%ssl_protocol_parameter = %ssl_protocols
+
+# Diffie-Hellman parameters are no longer required and should be phased out.
+# They do not work with ECDH(E) and require DH(E) ciphers.
+#ssl_server_dh_file = /etc/dovecot/dh.pem
+
+# SSL ciphers to use
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device = /dev/crypto