SSLCipherSuite 'kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:AESGCM:ALL:!3DES:!EXPORT:!LOW:!MEDIUM:!aNULL:!eNULL'
SSLHonorCipherOrder on
- # Certificate, DH parameters and key
- SSLCertificateFile /etc/ssl/mycerts/$cert.crt+dh
+ # DH parameters
+ SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh2048.pem"
+
+ # Certificate and key
+ SSLCertificateFile /etc/ssl/mycerts/$cert.crt
SSLCertificateKeyFile /etc/ssl/private/$cert.key
# Server Certificate Chain:
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
- SSLCertificateChainFile /etc/ssl/mycerts/$cert.chain
+ SSLCertificateChainFile /etc/ssl/mycerts/$cert.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/mycerts/letsencrypt/live.crt+chain
+ssl_cert = </etc/ssl/mycerts/letsencrypt/live.crt
ssl_key = </etc/ssl/private/letsencrypt/live.key
# If key file is password protected, give the password here. Alternatively
{% if 'letsencrypt' in group_names %}
# TLS server parameters
-smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt+chain
+smtpd_tls_cert_file=/etc/ssl/mycerts/letsencrypt/live.crt
smtpd_tls_key_file=/etc/ssl/private/letsencrypt/live.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_security_level = may
-- to use SSL/TLS, you may comment or remove this
ssl = {
key = "/etc/ssl/private/letsencrypt/live.key";
- certificate = "/etc/ssl/mycerts/letsencrypt/live.crt+chain";
+ certificate = "/etc/ssl/mycerts/letsencrypt/live.crt";
ciphers = "ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:!3DES";
dhparam = "/etc/ssl/dh2048.pem";
}
projects / ansible.git / commitdiff