Voici la configuration nécessaire pour avoir une bonne sécurité au niveau du ssl sous Dovecot. Le fichier “10-ssl.conf” sera placé dans le répertoire “/etc/dovecot/conf.d/” :
#### SSL Settings.
ssl = required
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes
# mkdir /etc/dovecot/ssl; openssl dhparam -out /etc/dovecot/ssl/dh4096.pem 4096
ssl_dh = </etc/dovecot/ssl/dh4096.pem
# ( P-384 = secp384r1 )
ssl_curve_list = P-384:X448:X25519
# no ticket et default no compression
ssl_options = no_ticket
ssl_min_protocol = TLSv1.2
# trusted certificat of let's encrypt in ca-certificates debian package
ssl_client_ca_dir = /etc/ssl/certs
ssl_ca = </etc/ssl/certs/ISRG_Root_X1.pem
# Vos certificats
ssl_cert = </etc/lets_encrypt/live/NOM_SERVER_MAIL/fullchain.pem
ssl_key = </etc/lets_encrypt/live/NOM_SERVER_MAIL/privkey.pem
