Commit graph

8 commits

Author SHA1 Message Date
Marek Walczak c36e878d76 Nist tls (#831)
* remove two ciphers according to https://www.htbridge.com/ssl/ (NIST, HIPAA)
* added a switch via an environment variable to choose between modern and intermediate ciphers
2018-02-22 08:36:12 +01:00
Marek Walczak b4b19e76b7 Stretch backport (#813)
* install dovecot from backports

* dovecot 2.2.33 has a slightly different TLS-configuration than 2.2.27

* want to have both images a the same time

* make use of the /etc/dovecot/ssl as mkcert.sh (2.2.33) is using that folder for certs.
2018-02-04 21:27:47 +01:00
Marek Walczak 49b3867c1b debian stretch slim (#784)
* Switch to stretch-slim as base image.
 - first step correct the testdata, as newer packages are more strict
about the mail-structure.

* Switch to stretch-slim: correcting the test-environment and the build
 - add missing build-step to make
 - clean the userdb aswell
 - use timeout of netcat, as postgrey would not close the connection
 - there is 2 extra mail-logs -> assert_output 5
 - cosmetic: use "" instead of ''

* Switch to stretch-slim:
new image:
 - smaller size
 - 0 CVEs compared to 11 CVEs in ubuntu 16.04 Image
better backport situation
 - postfix 3.1.6 vs 3.1.0
 - fail2ban 0.9.6 vs 0.9.3
 ...
changes needed because of stretch-slim:
- add missing gnupg and iproute2 package
- remove non-free rar, unrar-free should do
- rsyslog does not add syslog user and has different conf-structure
- pyzor command discover was deprecated and is missing in the new
stretch package

- dovecot does not know SSLv2 anymore. removed because of warnings in
log

- iptables does not know imap3, IMAP working group chose imap2 in favor
of imap3

* Switch to debian stretch slim:
SSLv2 seems to be a not known protocol anymore - good!

* switch to debian stretch slim:
make this test more stable. there might be more than only one mail.log
(mail.info, mail.warn, ...)

* switch to debian stretc slim:
 new openssl 1.1.0 needs stronger ciphers, removed some weekers ones.
Please, look through the new list of cipher! this needs to be done in
another commit for all other SSL/TLS-Endpoints aswell.

* Switch to debian stretch slim:
let our server pre-empt the cipher list.
Did a read through, wwwDOTpostfixDOTorg/FORWARD_SECRECY_READMEDOThtml
and
wwwDOTpostfixDOTorg/TLS_READMEDOThtml

* Switch to debian stretch slim: lets give this openssl-based test a new and independent but identical container.  many other test on the main 'mail' container might interfere here.

* Switch to debian stretch slim: remove unused lines
2017-12-31 12:33:48 +01:00
Kai Ren d40ae81d09 Hardening TLS ciphers (#492)
* Hardening Dovecot TLS ciphers
* Mitigate Logjam vulnerability on Dovecot
* Mitigate Logjam vulnerability on Postfix
* Add Nmap tests of PCI compliance for Postfix and Dovecot
* Increase sleep duration on Makefile steps to avoid races
2017-01-25 14:10:40 +01:00
Thomas VIAL 3286612831 Should fix #426 (#427) 2016-12-24 14:24:29 +01:00
Daniele Bellavista 2a15ac619e Secure TLS protocols (#418) 2016-12-23 19:14:02 +01:00
Sylvain Dumont d47cf72650 use strong tls and ciphers 2016-12-17 10:59:04 +01:00
Thomas VIAL fc2e2ae591 Added folder target, simplified user configuration, few renames... Need to work on tests.... 2016-04-12 00:04:33 +02:00
Renamed from dovecot/10-ssl.conf (Browse further)