mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
fix: Relax openssl security level for intermediate
TLS_LEVEL (#2193)
Although these two config lines have not changed since `debian:buster-slim` image, Dovecot seems to now be affected by it which results in rejecting cipher suites below TLS v1.2. To continue supporting the `intermediate` TLS_LEVEL, we now need to relax the global config. Dovecot could alternatively be given a modified openssl config to only affect it's interaction with openssl. Postfix is unaffected and continues to support TLS <1.2 cipher suites when configured to.
This commit is contained in:
parent
08cd4d3371
commit
2bf24e4c08
|
@ -896,6 +896,14 @@ function _setup_ssl
|
||||||
|
|
||||||
_apply_tls_level "${TLS_INTERMEDIATE_SUITE}" "${TLS_INTERMEDIATE_IGNORE}" "${TLS_INTERMEDIATE_MIN}"
|
_apply_tls_level "${TLS_INTERMEDIATE_SUITE}" "${TLS_INTERMEDIATE_IGNORE}" "${TLS_INTERMEDIATE_MIN}"
|
||||||
|
|
||||||
|
# Lowers the minimum acceptable TLS version connection to `TLS 1.0` (from Debian upstream `TLS 1.2`)
|
||||||
|
# Lowers Security Level to `1` (from Debian upstream `2`)
|
||||||
|
# https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
|
||||||
|
# https://dovecot.org/pipermail/dovecot/2020-October/120225.html
|
||||||
|
# TODO: This is a fix for Debian Bullseye Dovecot. Deprecate TLS <1.2 to resolve properly.
|
||||||
|
sedfile -i 's|^MinProtocol = .*|MinProtocol = TLSv1|' /usr/lib/ssl/openssl.cnf
|
||||||
|
sedfile -i 's|^CipherString = .*|CipherString = DEFAULT@SECLEVEL=1|' /usr/lib/ssl/openssl.cnf
|
||||||
|
|
||||||
_notify 'inf' "TLS configured with 'intermediate' ciphers"
|
_notify 'inf' "TLS configured with 'intermediate' ciphers"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue