Changing your SSL/TLS/cipher lists in dovecot

Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"

Top Level » Email » Dovecot

Changing your SSL/TLS/cipher lists in dovecotLast Modified: Jul 17, 2018, 2:07 pm
Every system has different requirements.  From supporting older clients to enforcing new PCI rules, there is no single answer.
With DirectAdmin setups,we like to lean towards functionality first, and admin's can tighten things up if they need to (knowing it will alienate some clients).

With dovecot, the SSL settings are stored in:


but this file shouldn't be edited directly.

  1. To make a custom change to this file, use the CustomBuild custom directory, like this:

    cd /usr/local/directadmin/custombuild
    mkdir -p custom/dovecot/conf
    cp configure/dovecot/conf/ssl.conf custom/dovecot/conf/ssl.conf

  2. and then edit the copied file:

    nano custom/dovecot/conf/ssl.conf

    At the time of this writing (July 2018) the issue at hand is PCI complaince vs mail client support.
  3. We've changed the default to support the mail clients, so to enforce tighter TLS settings to be PCI compliant, you'd edit the custom ssl.conf, and change the ssl_min_protocol line to look like this:

    ssl_min_protocol = TLSv1.1

    where you'd change TLSv1 to TLSv1.1.

    This file is also where you can change your cipher settings, if you need to do so.
  4. Once you're happy with the settings in the custom/dovecot/conf/ssl.conf, you'd write it by typing:

    ./build dovecot_conf

    which installs the default configs, and then overwrites them with whatever is in the custom/dovecot/conf folder, thus installing your custom ssl.conf file.

Related Helpfiles
Current SSL cipher lists for DirectAdmin servers

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST