Changes

From SME Server
Jump to navigationJump to search

SSL Settings (view source)

Revision as of 16:38, 17 May 2020

4,139 bytes added ,  16:38, 17 May 2020
no edit summary
Line 41: Line 41:  
  config setprop pop3s TLSv1 disabled
 
  config setprop pop3s TLSv1 disabled
 
  signal-event email-update
 
  signal-event email-update
 +
{{Note box|This is only available on SME9, for SME10 POP3 is handled by dovecot.}}
 +
 +
===Dovecot===
 +
For windows 10 require TLSv1.2 to be enabled Default is disabled
 +
 +
[root@sme10a4 ~]# config show dovecot
 +
dovecot=service
 +
Quotas=enabled
 +
status=enabled
 +
 +
# config setprop dovecot TLSv1.2 enabled
 +
# signal-event email-update
 +
 +
[root@sme10a4 ~]# config show dovecot
 +
dovecot=service
 +
Quotas=enabled
 +
TLSv1.2=enabled
 +
status=enabled
    
==Ciphers==
 
==Ciphers==
Line 65: Line 83:     
  config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
 
  config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
  config setprop ldap qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
+
  config setprop qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
  config setprop ldap pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
+
  config setprop pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
    
Expand all templates and restart:
 
Expand all templates and restart:
Line 72: Line 90:  
  signal-event post-upgrade;signal-event reboot
 
  signal-event post-upgrade;signal-event reboot
   −
==Other settings==
+
==Other informations==
   −
===Existing keys===
+
===Existing templates===
    
For reference here are the existing keys in /etc/e-smith/templates
 
For reference here are the existing keys in /etc/e-smith/templates
   −
  etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
+
  /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
  etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4:    $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+
  /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4:    $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
  etc/openldap/slapd.conf/12tls:2:TLSCipherSuite        { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
+
  /etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite        { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
  var/service/qpsmtpd/config/tls_ciphers/10ciphers:3:    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+
  /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3:    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
 +
those are fthe te,plate for protocols
 +
 
 +
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
 +
 
 +
/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
 
 +
/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
 
 +
/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
 +
 
 +
/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
 +
 
 +
=== Existing keys and properties ===
 +
{| class="wikitable"
 +
|+
 +
!Key
 +
!Property
 +
!default SME9
 +
!default SME10
 +
!template
 +
!informations
 +
|-
 +
|modSSL
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
 +
|for httpd
 +
|-
 +
|dovecot
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|ldap
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|qpsmtpd
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|pop3s
 +
|CipherSuite
 +
|'''none'''
 +
|'''moved to dovecot'''
 +
|
 +
|'''needs template custom see above'''
 +
|-
 +
|httpd-e-smith
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
| rowspan="5" |/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
 +
|
 +
|-
 +
|httpd-e-smith
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1.1
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|-
 +
|dovecot
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
| rowspan="5" |/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
|
 +
|-
 +
|dovecot
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1
 +
|enabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1.1
 +
|enabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|-
 +
|pop3s
 +
|SSLv2
 +
|disabled
 +
|'''moved to dovecot'''
 +
| rowspan="4" |/etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl
 +
|
 +
|-
 +
|pop3s
 +
|SSLv3
 +
|disabled
 +
|'''moved to dovecot'''
 +
|
 +
|-
 +
|pop3s
 +
|TLSv1
 +
|enabled
 +
|'''moved to dovecot'''
 +
|
 +
|-
 +
|pop3s
 +
|TLSv1.1
 +
|'''none'''
 +
|'''moved to dovecot'''
 +
|'''needs template custom''' for SME9
 +
|-
 +
|qpsmtpd
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
|
 +
|
 +
|-
 +
|qpsmtpd
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
 +
|
 +
|-
 +
|qpsmtpd
 +
|TLSv1
 +
|enabled
 +
|enabled
 +
|
 +
|more permissive to allow oportunistic encrypted email transfer between smtp
 +
|-
 +
|qpsmtpd
 +
|TLSv1.1
 +
|'''none'''
 +
|enabled
 +
|
 +
|more permissive to allow oportunistic encrypted email transfer between smtp
 +
|-
 +
|qpsmtpd
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|
 +
|-
 +
|ftp
 +
|none
 +
|none (no TLS on SME9)
 +
|none
 +
|/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
 +
|TLSProtocol                TLSv1.1 TLSv1.2
 +
|-
 +
|ldap
 +
|SSLv3
 +
|disabled
 +
|'''removed'''
 +
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
|TLSProtocolMin '3.0'(enabled) or '3.1'(disabled)
 +
|-
 +
|ldap
 +
|TLSProtocolMin
 +
|'''none'''
 +
|TLSv1.2
 +
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
|SSLv3,TLSv1,TLSv1,1, TLSv1.2
 +
|}
    
===Preferred Ciphers===
 
===Preferred Ciphers===
Line 126: Line 344:  
If your server does not support the protocol, you will get
 
If your server does not support the protocol, you will get
 
  Secure Renegotiation IS NOT supported
 
  Secure Renegotiation IS NOT supported
 
+
     
  [[category:developer]]
+
      [[category:developer]]
+
     
 
+
     
  [[category:advanced]]
+
      [[category:advanced]]
Warren
80

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/38738...38765"

Navigation menu