Securing dovecot with SSL/TLS on RHEL6
Updated -
Securing dovecot (dovecot-2.0.9-22.el6) that uses openssl
This article is part of the Securing Applications Collection
Configuration File
/etc/dovecot/conf.d/10-ssl.conf
shortform
ssl = yes
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
Protocols
ssl_protocols = !SSLv2 !SSLv3
TLSv1 or better
Protocol - Alternative Values
ssl_protocols = !SSLv2 !SSLv3 !TLSv1Disable TLSv1, allow TLSv1.1 or better
ssl_protocols = !SSLv2Allow SSLv3 or better
Ciphers
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
Provides a reasonable secure set.
Ciphers - Alternative Values
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4-SHA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DESInclude RC4-SHA for older client compatibility.
ssl_cipher_list = ALL:!ADH:!EXPORT:!SSLv2:RC4-SHA:+HIGH:+!MEDIUM:+!LOWAllow very old ciphers
Certificate Handling
dovecot uses a key file and certificates file.
Key File
ssl_key = </etc/pki/dovecot/private/dovecot.pem
key should be readable only by root
Certificate File
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
Should contain the server certificate followed by any intermediate certificates and then the root certificate.
## Notes
Should a different certificate be required for POP then it can be specified in the POP block along with any other non-defaults
protocol pop {
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
}
~~~
Comments