Securing dovecot (dovecot-2.2.36-3.el7) that uses openssl

This article is part of the Securing Applications Collection

Due to issues found during the lifetime of RHEL7 the version of dovecot should always at least dovecot-2.2.36-3.el7.

Configuration File

   /etc/dovecot/conf.d/10-ssl.conf

shortform

ssl = yes
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
ssl_prefer_server_ciphers = yes

Protocols

    ssl_protocols = !SSLv2 !SSLv3

TLSv1 or better

Protocol - Alternative Values

ssl_protocols = !SSLv2 !SSLv3 !TLSv1

Disable TLSv1, allow TLSv1.1 or better

ssl_protocols = !SSLv2

Allow SSLv3 or better

Ciphers

    ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Provides a reasonable secure set.

Ciphers - Alternative Values

ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4-SHA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Include RC4-SHA for older client compatibility.

ssl_cipher_list = ALL:!ADH:!EXPORT:!SSLv2:RC4-SHA:+HIGH:+!MEDIUM:+!LOW

Allow very old ciphers

Certificate Handling

dovecot uses a key file and certificates file.

Key File

ssl_key = </etc/pki/dovecot/private/dovecot.pem

key should be readable only by root

Certificate File

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

Should contain the server certificate followed by any intermediate certificates and then the root certificate.