mirror of
https://github.com/Mailu/Mailu.git
synced 2024-12-12 10:45:38 +02:00
Introduce TLS_PERMISSIVE for port 25
This new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so.
This commit is contained in:
parent
48e1e91a2c
commit
6a0e881522
@ -74,6 +74,7 @@ DEFAULT_CONFIG = {
|
||||
'PERMANENT_SESSION_LIFETIME': 30*24*3600,
|
||||
'SESSION_COOKIE_SECURE': True,
|
||||
'CREDENTIAL_ROUNDS': 12,
|
||||
'TLS_PERMISSIVE': True,
|
||||
'TZ': 'Etc/UTC',
|
||||
# Host settings
|
||||
'HOST_IMAP': 'imap',
|
||||
|
@ -317,9 +317,11 @@ mail {
|
||||
ssl_certificate /certs/letsencrypt/live/mailu/fullchain.pem;
|
||||
ssl_certificate /certs/letsencrypt/live/mailu-ecdsa/fullchain.pem;
|
||||
{% endif %}
|
||||
{% if TLS_PERMISSIVE == 'true' %}
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
||||
ssl_prefer_server_ciphers on;
|
||||
{% endif %}
|
||||
starttls on;
|
||||
{% endif %}
|
||||
protocol smtp;
|
||||
|
@ -215,6 +215,8 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send
|
||||
ISRG Root X1 certificate in TLS handshakes. This is required for `android handsets older than 7.1.1`
|
||||
but slows down the performance of modern devices.
|
||||
|
||||
The ``TLS_PERMISSIVE`` (default: true) setting controls whether ciphers and protocols offered on port 25 for STARTTLS are optimized for maximum compatibility. We **strongly recommend** that you do **not** change this setting on the basis that any encryption beats no encryption. If you are subject to compliance requirements and are not afraid of loosing emails as a result of artificially reducing compatibility, set it to 'false'. Keep in mind that servers that are running a software stack old enough to not be compatible with the current TLS requirements will either a) deliver in plaintext b) bounce emails c) silently drop emails; modern servers will benefit from various downgrade protections (DOWNGRD, RFC7507) making the security argument mostly a moot point.
|
||||
|
||||
.. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
|
||||
|
||||
.. _reverse_proxy_headers:
|
||||
|
1
towncrier/newsfragments/2449.feature
Normal file
1
towncrier/newsfragments/2449.feature
Normal file
@ -0,0 +1 @@
|
||||
Introduce TLS_PERMISSIVE, a new advanced setting to harden cipher configuration on port 25. Changing the default is strongly discouraged, please read the documentation before doing so.
|
Loading…
Reference in New Issue
Block a user