Blame | Last modification | View Log | RSS feed
#### SSL settings### SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt># disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps# plain imap and pop3 are still allowed for local connectionsssl = required# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before# dropping root privileges, so keep the key file unreadable by anyone but# root. Included doc/mkcert.sh can be used to easily generate self-signed# certificate, just make sure to update the domains in dovecot-openssl.cnf#ssl_cert = </etc/pki/dovecot/certs/dovecot.pem#ssl_key = </etc/pki/dovecot/private/dovecot.pemssl_cert = </etc/letsencrypt/live/homeserver8.ujsoftware.com/fullchain.pemssl_key = </etc/letsencrypt/live/homeserver8.ujsoftware.com/privkey.pem# If key file is password protected, give the password here. Alternatively# give it when starting dovecot with -p parameter. Since this file is often# world-readable, you may want to place this setting instead to a different# root owned 0600 file by using ssl_key_password = <path.#ssl_key_password =# PEM encoded trusted certificate authority. Set this only if you intend to use# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)#ssl_ca =# Require that CRL check succeeds for client certificates.#ssl_require_crl = yes# Directory and/or file for trusted SSL CA certificates. These are used only# when Dovecot needs to act as an SSL client (e.g. imapc backend or# submission service). The directory is usually /etc/pki/dovecot/certs in# Debian-based systems and the file is /etc/pki/tls/cert.pem in# RedHat-based systems.#ssl_client_ca_dir =#ssl_client_ca_file =# Require valid cert when connecting to a remote server#ssl_client_require_valid_cert = yes# Request client to send a certificate. If you also want to require it, set# auth_ssl_require_client_cert=yes in auth section.#ssl_verify_client_cert = no# Which field from certificate to use for username. commonName and# x500UniqueIdentifier are the usual choices. You'll also need to set# auth_ssl_username_from_cert=yes.#ssl_cert_username_field = commonName# SSL DH parameters# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`# Or migrate from old ssl-parameters.dat file with the command dovecot# gives on startup when ssl_dh is unset.ssl_dh = </etc/dovecot/dh.pem# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.#ssl_min_protocol = TLSv1ssl_min_protocol = TLSv1.2# SSL ciphers to use, the default is:#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH# To disable non-EC DH, use:#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTHssl_cipher_list = PROFILE=SYSTEM# Colon separated list of elliptic curves to use. Empty value (the default)# means use the defaults from the SSL library. P-521:P-384:P-256 would be an# example of a valid value.#ssl_curve_list =# Prefer the server's order of ciphers over client's.#ssl_prefer_server_ciphers = nossl_prefer_server_ciphers = yes# SSL crypto device to use, for valid values run "openssl engine"#ssl_crypto_device =# SSL extra options. Currently supported options are:# compression - Enable compression.# no_ticket - Disable SSL session tickets.#ssl_options =