Securing dovecot with SSL/TLS on RHEL7

Securing dovecot (dovecot-2.2.36-3.el7) that uses This content is not included.openssl

This article is part of the Securing Applications Collection

Due to issues found during the lifetime of RHEL7 the version of dovecot should always at least dovecot-2.2.36-3.el7.

Configuration File

   /etc/dovecot/conf.d/10-ssl.conf

shortform

ssl = yes
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
ssl_prefer_server_ciphers = yes

Protocols

    ssl_protocols = !SSLv2 !SSLv3

TLSv1 or better

Protocol - Alternative Values

ssl_protocols = !SSLv2 !SSLv3 !TLSv1

Disable TLSv1, allow TLSv1.1 or better

ssl_protocols = !SSLv2

Allow SSLv3 or better

Ciphers

    ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Provides a reasonable secure set.

Ciphers - Alternative Values

ssl_cipher_list = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:RC4-SHA:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

Include RC4-SHA for older client compatibility.

ssl_cipher_list = ALL:!ADH:!EXPORT:!SSLv2:RC4-SHA:+HIGH:+!MEDIUM:+!LOW

Allow very old ciphers

Certificate Handling

dovecot uses a key file and certificates file.

Key File

ssl_key = </etc/pki/dovecot/private/dovecot.pem

key should be readable only by root

Certificate File

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem

Should contain the server certificate followed by any intermediate certificates and then the root certificate.