change default ssl-cipher-list; minor changes in config-xmls, fixes #1541
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
@@ -2692,8 +2692,8 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}
|
||||
#TLSLog /var/log/proftpd-tls.log
|
||||
#TLSProtocol SSLv23
|
||||
#TLSTimeoutHandshake 120
|
||||
# Really important for WinClients
|
||||
#TLSOptions NoCertRequest
|
||||
# Really important for WinClients and some clients
|
||||
#TLSOptions NoCertRequest NoSessionReuseRequired
|
||||
#TLSRSACertificateFile /etc/ssl/server/<SERVERNAME>.crt
|
||||
#TLSRSACertificateKeyFile /etc/ssl/server/<SERVERNAME>.key
|
||||
# Authenticate client that want to use FTP over TLS?
|
||||
|
||||
@@ -2120,7 +2120,7 @@ ControlsLog /var/log/proftpd/controls.log
|
||||
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
|
||||
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
|
||||
TLSCipherSuite ALL:!ADH:!DES
|
||||
TLSOptions NoCertRequest
|
||||
TLSOptions NoCertRequest NoSessionReuseRequired
|
||||
TLSVerifyClient off
|
||||
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
|
||||
TLSLog /var/log/proftpd/tls.log
|
||||
|
||||
@@ -2862,387 +2862,6 @@ auth_mechanisms = plain login
|
||||
#!include auth-deny.conf.ext
|
||||
#!include auth-master.conf.ext
|
||||
|
||||
#!include auth-system.conf.ext
|
||||
!include auth-sql.conf.ext
|
||||
#!include auth-ldap.conf.ext
|
||||
#!include auth-passwdfile.conf.ext
|
||||
#!include auth-checkpassword.conf.ext
|
||||
#!include auth-vpopmail.conf.ext
|
||||
#!include auth-static.conf.ext
|
||||
]]>
|
||||
</content>
|
||||
</file>
|
||||
<file name="/etc/dovecot/dovecot.conf" chown="root:root"
|
||||
chmod="0640" backup="true">
|
||||
<content><![CDATA[
|
||||
## Dovecot configuration file
|
||||
|
||||
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
|
||||
|
||||
# "doveconf -n" command gives a clean output of the changed settings. Use it
|
||||
# instead of copy&pasting files when posting to the Dovecot mailing list.
|
||||
|
||||
# '#' character and everything after it is treated as comments. Extra spaces
|
||||
# and tabs are ignored. If you want to use either of these explicitly, put the
|
||||
# value inside quotes, eg.: key = "# char and trailing whitespace "
|
||||
|
||||
# Default values are shown for each setting, it's not required to uncomment
|
||||
# those. These are exceptions to this though: No sections (e.g. namespace {})
|
||||
# or plugin settings are added by default, they're listed only as examples.
|
||||
# Paths are also just examples with the real defaults being based on configure
|
||||
# options. The paths listed here are for configure --prefix=/usr
|
||||
# --sysconfdir=/etc --localstatedir=/var
|
||||
|
||||
# Enable installed protocols
|
||||
!include_try /usr/share/dovecot/protocols.d/*.protocol
|
||||
|
||||
# A comma separated list of IPs or hosts where to listen in for connections.
|
||||
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
|
||||
# If you want to specify non-default ports or anything more complex,
|
||||
# edit conf.d/master.conf.
|
||||
#listen = *, ::
|
||||
|
||||
# Base directory where to store runtime data.
|
||||
#base_dir = /var/run/dovecot/
|
||||
|
||||
# Name of this instance. In multi-instance setup doveadm and other commands
|
||||
# can use -i <instance_name> to select which instance is used (an alternative
|
||||
# to -c <config_path>). The instance name is also added to Dovecot processes
|
||||
# in ps output.
|
||||
#instance_name = dovecot
|
||||
|
||||
# Greeting message for clients.
|
||||
#login_greeting = Dovecot ready.
|
||||
|
||||
# Space separated list of trusted network ranges. Connections from these
|
||||
# IPs are allowed to override their IP addresses and ports (for logging and
|
||||
# for authentication checks). disable_plaintext_auth is also ignored for
|
||||
# these networks. Typically you'd specify your IMAP proxy servers here.
|
||||
#login_trusted_networks =
|
||||
|
||||
# Sepace separated list of login access check sockets (e.g. tcpwrap)
|
||||
#login_access_sockets =
|
||||
|
||||
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
|
||||
# proxying. This isn't necessary normally, but may be useful if the destination
|
||||
# IP is e.g. a load balancer's IP.
|
||||
#auth_proxy_self =
|
||||
|
||||
# Show more verbose process titles (in ps). Currently shows user name and
|
||||
# IP address. Useful for seeing who are actually using the IMAP processes
|
||||
# (eg. shared mailboxes or if same uid is used for multiple accounts).
|
||||
#verbose_proctitle = no
|
||||
|
||||
# Should all processes be killed when Dovecot master process shuts down.
|
||||
# Setting this to "no" means that Dovecot can be upgraded without
|
||||
# forcing existing client connections to close (although that could also be
|
||||
# a problem if the upgrade is e.g. because of a security fix).
|
||||
#shutdown_clients = yes
|
||||
|
||||
# If non-zero, run mail commands via this many connections to doveadm server,
|
||||
# instead of running them directly in the same process.
|
||||
#doveadm_worker_count = 0
|
||||
# UNIX socket or host:port used for connecting to doveadm server
|
||||
#doveadm_socket_path = doveadm-server
|
||||
|
||||
# Space separated list of environment variables that are preserved on Dovecot
|
||||
# startup and passed down to all of its child processes. You can also give
|
||||
# key=value pairs to always set specific settings.
|
||||
#import_environment = TZ
|
||||
|
||||
##
|
||||
## Dictionary server settings
|
||||
##
|
||||
|
||||
# Dictionary can be used to store key=value lists. This is used by several
|
||||
# plugins. The dictionary can be accessed either directly or though a
|
||||
# dictionary server. The following dict block maps dictionary names to URIs
|
||||
# when the server is used. These can then be referenced using URIs in format
|
||||
# "proxy::<name>".
|
||||
|
||||
dict {
|
||||
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
|
||||
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
|
||||
}
|
||||
|
||||
# Most of the actual configuration gets included below. The filenames are
|
||||
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
|
||||
# in filenames are intended to make it easier to understand the ordering.
|
||||
!include conf.d/*.conf
|
||||
|
||||
# A config file can also tried to be included without giving an error if
|
||||
# it's not found:
|
||||
!include_try local.conf
|
||||
]]>
|
||||
</content>
|
||||
</file>
|
||||
<file name="/etc/dovecot/dovecot-sql.conf.ext" chown="root:root"
|
||||
chmod="0600" backup="true">
|
||||
<content><![CDATA[
|
||||
# This file is opened as root, so it should be owned by root and mode 0600.
|
||||
#
|
||||
# http://wiki2.dovecot.org/AuthDatabase/SQL
|
||||
#
|
||||
# For the sql passdb module, you'll need a database with a table that
|
||||
# contains fields for at least the username and password. If you want to
|
||||
# use the user@domain syntax, you might want to have a separate domain
|
||||
# field as well.
|
||||
#
|
||||
# If your users all have the same uig/gid, and have predictable home
|
||||
# directories, you can use the static userdb module to generate the home
|
||||
# dir based on the username and domain. In this case, you won't need fields
|
||||
# for home, uid, or gid in the database.
|
||||
#
|
||||
# If you prefer to use the sql userdb module, you'll want to add fields
|
||||
# for home, uid, and gid. Here is an example table:
|
||||
#
|
||||
# CREATE TABLE users (
|
||||
# username VARCHAR(128) NOT NULL,
|
||||
# domain VARCHAR(128) NOT NULL,
|
||||
# password VARCHAR(64) NOT NULL,
|
||||
# home VARCHAR(255) NOT NULL,
|
||||
# uid INTEGER NOT NULL,
|
||||
# gid INTEGER NOT NULL,
|
||||
# active CHAR(1) DEFAULT 'Y' NOT NULL
|
||||
# );
|
||||
|
||||
# Database driver: mysql, pgsql, sqlite
|
||||
driver = mysql
|
||||
|
||||
# Database connection string. This is driver-specific setting.
|
||||
#
|
||||
# HA / round-robin load-balancing is supported by giving multiple host
|
||||
# settings, like: host=sql1.host.org host=sql2.host.org
|
||||
#
|
||||
# pgsql:
|
||||
# For available options, see the PostgreSQL documention for the
|
||||
# PQconnectdb function of libpq.
|
||||
# Use maxconns=n (default 5) to change how many connections Dovecot can
|
||||
# create to pgsql.
|
||||
#
|
||||
# mysql:
|
||||
# Basic options emulate PostgreSQL option names:
|
||||
# host, port, user, password, dbname
|
||||
#
|
||||
# But also adds some new settings:
|
||||
# client_flags - See MySQL manual
|
||||
# ssl_ca, ssl_ca_path - Set either one or both to enable SSL
|
||||
# ssl_cert, ssl_key - For sending client-side certificates to server
|
||||
# ssl_cipher - Set minimum allowed cipher security (default: HIGH)
|
||||
# option_file - Read options from the given file instead of
|
||||
# the default my.cnf location
|
||||
# option_group - Read options from the given group (default: client)
|
||||
#
|
||||
# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
|
||||
# Note that currently you can't use spaces in parameters.
|
||||
#
|
||||
# sqlite:
|
||||
# The path to the database file.
|
||||
#
|
||||
# Examples:
|
||||
# connect = host=192.168.1.1 dbname=users
|
||||
# connect = host=sql.example.com dbname=virtual user=virtual password=blarg
|
||||
# connect = /etc/dovecot/authdb.sqlite
|
||||
#
|
||||
connect = host=<SQL_HOST> dbname=<SQL_DB> user=<SQL_UNPRIVILEGED_USER> password=<SQL_UNPRIVILEGED_PASSWORD>
|
||||
|
||||
# Default password scheme.
|
||||
#
|
||||
# List of supported schemes is in
|
||||
# http://wiki2.dovecot.org/Authentication/PasswordSchemes
|
||||
#
|
||||
default_pass_scheme = CRYPT
|
||||
|
||||
# passdb query to retrieve the password. It can return fields:
|
||||
# password - The user's password. This field must be returned.
|
||||
# user - user@domain from the database. Needed with case-insensitive lookups.
|
||||
# username and domain - An alternative way to represent the "user" field.
|
||||
#
|
||||
# The "user" field is often necessary with case-insensitive lookups to avoid
|
||||
# e.g. "name" and "nAme" logins creating two different mail directories. If
|
||||
# your user and domain names are in separate fields, you can return "username"
|
||||
# and "domain" fields instead of "user".
|
||||
#
|
||||
# The query can also return other fields which have a special meaning, see
|
||||
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
|
||||
#
|
||||
# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
|
||||
# for full list):
|
||||
# %u = entire user@domain
|
||||
# %n = user part of user@domain
|
||||
# %d = domain part of user@domain
|
||||
#
|
||||
# Note that these can be used only as input to SQL query. If the query outputs
|
||||
# any of these substitutions, they're not touched. Otherwise it would be
|
||||
# difficult to have eg. usernames containing '%' characters.
|
||||
#
|
||||
# Example:
|
||||
# password_query = SELECT userid AS user, pw AS password \
|
||||
# FROM users WHERE userid = '%u' AND active = 'Y'
|
||||
#
|
||||
#password_query = \
|
||||
# SELECT username, domain, password \
|
||||
# FROM users WHERE username = '%n' AND domain = '%d'
|
||||
|
||||
# userdb query to retrieve the user information. It can return fields:
|
||||
# uid - System UID (overrides mail_uid setting)
|
||||
# gid - System GID (overrides mail_gid setting)
|
||||
# home - Home directory
|
||||
# mail - Mail location (overrides mail_location setting)
|
||||
#
|
||||
# None of these are strictly required. If you use a single UID and GID, and
|
||||
# home or mail directory fits to a template string, you could use userdb static
|
||||
# instead. For a list of all fields that can be returned, see
|
||||
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
|
||||
#
|
||||
# Examples:
|
||||
# user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
|
||||
# user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
|
||||
# user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
|
||||
#
|
||||
#user_query = \
|
||||
# SELECT home, uid, gid \
|
||||
# FROM users WHERE username = '%n' AND domain = '%d'
|
||||
user_query = SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', (quota*1024)) as quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u')
|
||||
|
||||
# If you wish to avoid two SQL lookups (passdb + userdb), you can use
|
||||
# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
|
||||
# also have to return userdb fields in password_query prefixed with "userdb_"
|
||||
# string. For example:
|
||||
#password_query = \
|
||||
# SELECT userid AS user, password, \
|
||||
# home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
|
||||
# FROM users WHERE userid = '%u'
|
||||
password_query = SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid, CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('maildir:storage=', (quota*1024)) as userdb_quota FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR '%Ls' = 'smtp' OR '%Ls' = 'sieve')
|
||||
|
||||
# Query to get a list of all usernames.
|
||||
#iterate_query = SELECT username AS user FROM users
|
||||
]]>
|
||||
</content>
|
||||
</file>
|
||||
<file name="/etc/dovecot/conf.d/10-auth.conf" chown="root:0"
|
||||
chmod="0640" backup="true">
|
||||
<content><![CDATA[
|
||||
##
|
||||
## Authentication processes
|
||||
##
|
||||
|
||||
# Disable LOGIN command and all other plaintext authentications unless
|
||||
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
|
||||
# matches the local IP (ie. you're connecting from the same computer), the
|
||||
# connection is considered secure and plaintext authentication is allowed.
|
||||
disable_plaintext_auth = no
|
||||
|
||||
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
|
||||
# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
|
||||
#auth_cache_size = 0
|
||||
# Time to live for cached data. After TTL expires the cached record is no
|
||||
# longer used, *except* if the main database lookup returns internal failure.
|
||||
# We also try to handle password changes automatically: If user's previous
|
||||
# authentication was successful, but this one wasn't, the cache isn't used.
|
||||
# For now this works only with plaintext authentication.
|
||||
#auth_cache_ttl = 1 hour
|
||||
# TTL for negative hits (user not found, password mismatch).
|
||||
# 0 disables caching them completely.
|
||||
#auth_cache_negative_ttl = 1 hour
|
||||
|
||||
# Space separated list of realms for SASL authentication mechanisms that need
|
||||
# them. You can leave it empty if you don't want to support multiple realms.
|
||||
# Many clients simply use the first one listed here, so keep the default realm
|
||||
# first.
|
||||
#auth_realms =
|
||||
|
||||
# Default realm/domain to use if none was specified. This is used for both
|
||||
# SASL realms and appending @domain to username in plaintext logins.
|
||||
#auth_default_realm =
|
||||
|
||||
# List of allowed characters in username. If the user-given username contains
|
||||
# a character not listed in here, the login automatically fails. This is just
|
||||
# an extra check to make sure user can't exploit any potential quote escaping
|
||||
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
|
||||
# set this value to empty.
|
||||
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
|
||||
|
||||
# Username character translations before it's looked up from databases. The
|
||||
# value contains series of from -> to characters. For example "#@/@" means
|
||||
# that '#' and '/' characters are translated to '@'.
|
||||
#auth_username_translation =
|
||||
|
||||
# Username formatting before it's looked up from databases. You can use
|
||||
# the standard variables here, eg. %Lu would lowercase the username, %n would
|
||||
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
|
||||
# "-AT-". This translation is done after auth_username_translation changes.
|
||||
#auth_username_format = %Lu
|
||||
|
||||
# If you want to allow master users to log in by specifying the master
|
||||
# username within the normal username string (ie. not using SASL mechanism's
|
||||
# support for it), you can specify the separator character here. The format
|
||||
# is then <username><separator><master username>. UW-IMAP uses "*" as the
|
||||
# separator, so that could be a good choice.
|
||||
#auth_master_user_separator =
|
||||
|
||||
# Username to use for users logging in with ANONYMOUS SASL mechanism
|
||||
#auth_anonymous_username = anonymous
|
||||
|
||||
# Maximum number of dovecot-auth worker processes. They're used to execute
|
||||
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
|
||||
# automatically created and destroyed as needed.
|
||||
#auth_worker_max_count = 30
|
||||
|
||||
# Host name to use in GSSAPI principal names. The default is to use the
|
||||
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
|
||||
# entries.
|
||||
#auth_gssapi_hostname =
|
||||
|
||||
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
|
||||
# default (usually /etc/krb5.keytab) if not specified. You may need to change
|
||||
# the auth service to run as root to be able to read this file.
|
||||
#auth_krb5_keytab =
|
||||
|
||||
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
|
||||
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
|
||||
#auth_use_winbind = no
|
||||
|
||||
# Path for Samba's ntlm_auth helper binary.
|
||||
#auth_winbind_helper_path = /usr/bin/ntlm_auth
|
||||
|
||||
# Time to delay before replying to failed authentications.
|
||||
#auth_failure_delay = 2 secs
|
||||
|
||||
# Require a valid SSL client certificate or the authentication fails.
|
||||
#auth_ssl_require_client_cert = no
|
||||
|
||||
# Take the username from client's SSL certificate, using
|
||||
# X509_NAME_get_text_by_NID() which returns the subject's DN's
|
||||
# CommonName.
|
||||
#auth_ssl_username_from_cert = no
|
||||
|
||||
# Space separated list of wanted authentication mechanisms:
|
||||
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
|
||||
# gss-spnego
|
||||
# NOTE: See also disable_plaintext_auth setting.
|
||||
auth_mechanisms = plain login
|
||||
|
||||
##
|
||||
## Password and user databases
|
||||
##
|
||||
|
||||
#
|
||||
# Password database is used to verify user's password (and nothing more).
|
||||
# You can have multiple passdbs and userdbs. This is useful if you want to
|
||||
# allow both system users (/etc/passwd) and virtual users to login without
|
||||
# duplicating the system users into virtual database.
|
||||
#
|
||||
# <doc/wiki/PasswordDatabase.txt>
|
||||
#
|
||||
# User database specifies where mails are located and what user/group IDs
|
||||
# own them. For single-UID configuration use "static" userdb.
|
||||
#
|
||||
# <doc/wiki/UserDatabase.txt>
|
||||
|
||||
#!include auth-deny.conf.ext
|
||||
#!include auth-master.conf.ext
|
||||
|
||||
#!include auth-system.conf.ext
|
||||
!include auth-sql.conf.ext
|
||||
#!include auth-ldap.conf.ext
|
||||
|
||||
Reference in New Issue
Block a user