Erik de Waard
2018-May-09 14:48 UTC
possible to disable dh_key/ssl-parameters.dat generation when only using ECDHE ciphers.
Hi, I want to disable dh_key/ssl-parameters.dat entirely since i'm only using ECDHE ciphers.> # 2.2.34 (874deae): /etc/dovecot/dovecot.conf# Pigeonhole version 0.4.22 (22940fb7) # OS: Linux 4.9.0-6-amd64 x86_64 Debian 9.4 # Hostname: somehost.com auth_cache_negative_ttl = 0 auth_cache_size = 10 M auth_cache_ttl = 1 days auth_username_chars "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@#" default_client_limit = 1500 default_vsz_limit = 600 M disable_plaintext_auth = no info_log_path = /var/log/mail.log.info listen = * log_timestamp = "%Y-%m-%d %H:%M:%S " mail_debug = yes mail_max_userip_connections = 100 mail_privileged_group = mail mmap_disable = yes namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = INBOX. separator = . type = private } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { sieve_execute_bin_dir = /etc/dovecot/sieve-executables sieve_global_extensions = +vnd.dovecot.execute sieve_plugins = sieve_extprograms } protocols = imap lmtp service anvil { unix_listener anvil-auth-penalty { mode = 0600 } } service auth { user = root } service imap-login { client_limit = 6000 process_limit = 4 process_min_avail = 4 service_count = 0 vsz_limit = 600 M } service imap { client_limit = 1 process_limit = 1024 service_count = 50 } service lmtp { inet_listener lmtp { port = 24 } } ssl_cert = </etc/dovecot/dovecot.crt ssl_cipher_list ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } verbose_proctitle = yes protocol lmtp { mail_plugins = " sieve" plugin { sieve = ~/filters.sieve sieve_after = /etc/dovecot/sieve/after.sieve sieve_before = /etc/dovecot/sieve/before.sieve } userdb { args = /etc/dovecot/dovecot-sql-lmtp.conf driver = sql name } } -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180509/8f3e3233/attachment.html>
Aki Tuomi
2018-May-09 15:06 UTC
possible to disable dh_key/ssl-parameters.dat generation when only using ECDHE ciphers.
2.3.1 does not generate them at all and accepts a static file.
---Aki TuomiDovecot oy
-------- Original message --------From: Erik de Waard <erikdewaard at
gmail.com> Date: 09/05/2018 17:48 (GMT+02:00) To: dovecot at dovecot.org
Subject: possible to disable dh_key/ssl-parameters.dat generation when only
using ECDHE ciphers.
Hi,
I want to disable dh_key/ssl-parameters.dat?entirely since i'm only using
ECDHE ciphers.
# 2.2.34 (874deae): /etc/dovecot/dovecot.conf# Pigeonhole version 0.4.22
(22940fb7)# OS: Linux 4.9.0-6-amd64 x86_64 Debian 9.4?# Hostname:
somehost.comauth_cache_negative_ttl = 0auth_cache_size = 10 Mauth_cache_ttl = 1
daysauth_username_chars =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@#"default_client_limit
= 1500default_vsz_limit = 600 Mdisable_plaintext_auth = noinfo_log_path =
/var/log/mail.log.infolisten = *log_timestamp = "%Y-%m-%d %H:%M:%S
"mail_debug = yesmail_max_userip_connections = 100mail_privileged_group =
mailmmap_disable = yesnamespace inbox {? inbox = yes? location =?? mailbox
Drafts {? ? special_use = \Drafts? }? mailbox Junk {? ? special_use = \Junk? }?
mailbox Sent {? ? special_use = \Sent? }? mailbox "Sent Messages" {? ?
special_use = \Sent? }? mailbox Trash {? ? special_use = \Trash? }? prefix =
INBOX.? separator = .? type = private}passdb {? args =
/etc/dovecot/dovecot-sql.conf? driver = sql}plugin {? sieve_execute_bin_dir =
/etc/dovecot/sieve-executables? sieve_global_extensions = +vnd.dovecot.execute?
sieve_plugins = sieve_extprograms}protocols = imap lmtpservice anvil {?
unix_listener anvil-auth-penalty {? ? mode = 0600? }}service auth {? user =
root}service imap-login {? client_limit = 6000? process_limit = 4?
process_min_avail = 4? service_count = 0? vsz_limit = 600 M}service imap {?
client_limit = 1? process_limit = 1024? service_count = 50}service lmtp {?
inet_listener lmtp {? ? port = 24? }}ssl_cert =
</etc/dovecot/dovecot.crtssl_cipher_list =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256ssl_key
=? # hidden, use -P to show itssl_prefer_server_ciphers = yesuserdb {? driver =
prefetch}userdb {? args = /etc/dovecot/dovecot-sql.conf? driver =
sql}verbose_proctitle = yesprotocol lmtp {? mail_plugins = " sieve"?
plugin {? ? sieve = ~/filters.sieve? ? sieve_after =
/etc/dovecot/sieve/after.sieve? ? sieve_before =
/etc/dovecot/sieve/before.sieve? }? userdb {? ? args =
/etc/dovecot/dovecot-sql-lmtp.conf? ? driver = sql? ? name =?? }}
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180509/a093792c/attachment-0001.html>