danwin1210/mail-hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make use of snakeoil certificates in default configuration files

Browse Source
This commit is contained in:
Daniel Winzen
2024-06-05 21:53:17 +02:00
parent ffac3ea1db
commit a8c633b1d2
12 changed files with 70 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
etc/dovecot/dovecot.conf
View File

@ -47,8 +47,8 @@ auth_mechanisms = plain login
#TLS parameters
ssl = required
ssl_cert = </etc/acme.sh/danwin1210.de_ecc/fullchain.cer
ssl_key = </etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1.2

5
etc/nginx/nginx.conf
View File

@ -4,6 +4,7 @@ pid /run/nginx.pid;
pcre_jit on;
worker_rlimit_nofile 30000;
worker_shutdown_timeout 1m;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 7680;
@ -51,8 +52,8 @@ http {
ssl_early_data off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_dhparam /etc/nginx/dh4096.pem;
##

4
etc/nginx/sites-enabled/mail
View File

@ -51,8 +51,8 @@ server {
add_header Cross-Origin-Opener-Policy same-origin always;
add_header Cross-Origin-Resource-Policy same-origin always;
listen [::]:443 ssl proxy_protocol http2;
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /var/www/html;
index index.php;
server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;

4
etc/nginx/sites-enabled/openpgpkey
View File

@ -16,6 +16,6 @@ server {
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
expires off;
}
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
}

4
etc/postfix/main.cf
View File

@ -24,8 +24,8 @@ compatibility_level = 3.6
smtputf8_autodetect_classes = all
# TLS parameters
smtpd_tls_cert_file = /etc/acme.sh/danwin1210.de_ecc/fullchain.cer
smtpd_tls_key_file = /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_ciphers = HIGH
smtpd_tls_mandatory_ciphers = HIGH
smtp_tls_ciphers = HIGH

4
etc/prosody/prosody.cfg.lua
View File

@ -124,8 +124,8 @@ pidfile = "/run/prosody/prosody.pid";
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
ssl = {
key = "/etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key";
certificate = "/etc/acme.sh/danwin1210.de_ecc/fullchain.cer";
key = "/etc/ssl/private/ssl-cert-snakeoil.key";
certificate = "/etc/ssl/certs/ssl-cert-snakeoil.pem";
dhparam = "/etc/prosody/dh4096.pem";
curve = "X448:X25519:secp521r1:secp384r1:secp256k1";
ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!RSA:!PSK:!SRP:!3DES:!aNULL:!SHA:!MD5:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256";