From 7164c05979c91b6346a944fd3fe366c4ea9298dc Mon Sep 17 00:00:00 2001
From: thom <thom@amsterdamtech.nl>
Date: Sat, 8 Aug 2020 16:21:25 +0200
Subject: [PATCH 1/2] Update SSL params (#5423)

---
 install/tpl/apache_ispconfig.vhost.master |  4 ++--
 install/tpl/debian6_dovecot2.conf.master  |  5 +++--
 install/tpl/debian_dovecot2.conf.master   |  4 +++-
 install/tpl/debian_postfix.conf.master    | 11 +++++++----
 install/tpl/fedora_dovecot2.conf.master   |  4 +++-
 install/tpl/fedora_postfix.conf.master    |  9 ++++++---
 install/tpl/gentoo_postfix.conf.master    |  9 ++++++---
 install/tpl/nginx_apps.vhost.master       |  4 ++--
 install/tpl/nginx_ispconfig.vhost.master  | 10 +++++-----
 install/tpl/opensuse_dovecot2.conf.master |  7 ++++---
 install/tpl/opensuse_postfix.conf.master  |  9 ++++++---
 11 files changed, 47 insertions(+), 29 deletions(-)

diff --git a/install/tpl/apache_ispconfig.vhost.master b/install/tpl/apache_ispconfig.vhost.master
index 61e9a58859..f90876170b 100644
--- a/install/tpl/apache_ispconfig.vhost.master
+++ b/install/tpl/apache_ispconfig.vhost.master
@@ -70,7 +70,7 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
   # SSL Configuration
   <tmpl_var name="ssl_comment">SSLEngine On
   <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
-  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3
+  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
   <tmpl_else>
   <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
   </tmpl_if>
@@ -78,7 +78,7 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
   <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
   <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
 
-  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
   <tmpl_var name="ssl_comment">SSLHonorCipherOrder On
   <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
   <tmpl_var name="ssl_comment">SSLCompression Off
diff --git a/install/tpl/debian6_dovecot2.conf.master b/install/tpl/debian6_dovecot2.conf.master
index 80709cfe36..ce27f2376e 100644
--- a/install/tpl/debian6_dovecot2.conf.master
+++ b/install/tpl/debian6_dovecot2.conf.master
@@ -7,8 +7,9 @@ mail_privileged_group = vmail
 ssl_cert = </etc/postfix/smtpd.cert
 ssl_key = </etc/postfix/smtpd.key
 ssl_dh = </etc/dovecot/dh.pem
-ssl_protocols = !SSLv2 !SSLv3
-ssl_min_protocol = TLSv1
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
 auth_verbose = yes
 mail_max_userip_connections = 100
 mail_plugins = quota
diff --git a/install/tpl/debian_dovecot2.conf.master b/install/tpl/debian_dovecot2.conf.master
index a292591372..60a1263e48 100644
--- a/install/tpl/debian_dovecot2.conf.master
+++ b/install/tpl/debian_dovecot2.conf.master
@@ -7,7 +7,9 @@ mail_privileged_group = vmail
 postmaster_address = postmaster@example.com
 ssl_cert = </etc/postfix/smtpd.cert
 ssl_key = </etc/postfix/smtpd.key
-ssl_protocols = !SSLv2 !SSLv3
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
 auth_verbose = yes
 mail_max_userip_connections = 100
 mail_plugins = $mail_plugins quota
diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master
index 1c1b8187b1..8e3fa50f22 100644
--- a/install/tpl/debian_postfix.conf.master
+++ b/install/tpl/debian_postfix.conf.master
@@ -14,7 +14,7 @@ smtpd_sasl_auth_enable = yes
 broken_sasl_auth_clients = yes
 smtpd_sasl_authenticated_header = yes
 smtpd_restriction_classes = greylisting
-greylisting = check_policy_service inet:127.0.0.1:10023 
+greylisting = check_policy_service inet:127.0.0.1:10023
 smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, check_recipient_access proxy:mysql:{config_dir}/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:{config_dir}/mysql-virtual_recipient.cf{rbl_list}{greylisting}, check_policy_service unix:private/quota-status
 smtpd_use_tls = yes
 smtpd_tls_security_level = may
@@ -39,10 +39,13 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
 body_checks = regexp:{config_dir}/body_checks
 owner_request_special = no
 smtp_tls_security_level = may
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2,!SSLv3
-smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_exclude_ciphers = RC4, aNULL
 smtp_tls_exclude_ciphers = RC4, aNULL
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
 # needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
 enable_original_recipient = yes
diff --git a/install/tpl/fedora_dovecot2.conf.master b/install/tpl/fedora_dovecot2.conf.master
index 2acd757fbd..4b9bb5c6a9 100644
--- a/install/tpl/fedora_dovecot2.conf.master
+++ b/install/tpl/fedora_dovecot2.conf.master
@@ -6,7 +6,9 @@ log_timestamp = "%Y-%m-%d %H:%M:%S "
 mail_privileged_group = vmail
 ssl_cert = </etc/postfix/smtpd.cert
 ssl_key = </etc/postfix/smtpd.key
-ssl_protocols = !SSLv2 !SSLv3
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
 auth_verbose = yes
 mail_plugins = quota
 passdb {
diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master
index 58892ef82a..ffe831286c 100644
--- a/install/tpl/fedora_postfix.conf.master
+++ b/install/tpl/fedora_postfix.conf.master
@@ -35,10 +35,13 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
 body_checks = regexp:{config_dir}/body_checks
 inet_interfaces = all
 smtp_tls_security_level = may
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2,!SSLv3
-smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_exclude_ciphers = RC4, aNULL
 smtp_tls_exclude_ciphers = RC4, aNULL
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
 # needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
 enable_original_recipient = yes
diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master
index c38670f250..52b48f9274 100644
--- a/install/tpl/gentoo_postfix.conf.master
+++ b/install/tpl/gentoo_postfix.conf.master
@@ -34,10 +34,13 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
 body_checks = regexp:{config_dir}/body_checks
 inet_interfaces = all
 smtp_tls_security_level = may
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2,!SSLv3
-smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_exclude_ciphers = RC4, aNULL
 smtp_tls_exclude_ciphers = RC4, aNULL
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
 # needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
 enable_original_recipient = yes
diff --git a/install/tpl/nginx_apps.vhost.master b/install/tpl/nginx_apps.vhost.master
index a22b1aab46..2680b209a2 100644
--- a/install/tpl/nginx_apps.vhost.master
+++ b/install/tpl/nginx_apps.vhost.master
@@ -2,7 +2,7 @@ server {
         listen {apps_vhost_port} {ssl_on};
         listen [::]:{apps_vhost_port} {ssl_on} ipv6only=on;
 
-        {ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        {ssl_comment}ssl_protocols TLSv1.2;
         {ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
         {ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
 
@@ -115,7 +115,7 @@ server {
         location /phpMyAdmin {
                rewrite ^/* /phpmyadmin last;
         }
-		
+
         location /squirrelmail {
                root /usr/share/;
                index index.php index.html index.htm;
diff --git a/install/tpl/nginx_ispconfig.vhost.master b/install/tpl/nginx_ispconfig.vhost.master
index aad670e97a..dbe44d7064 100644
--- a/install/tpl/nginx_ispconfig.vhost.master
+++ b/install/tpl/nginx_ispconfig.vhost.master
@@ -1,13 +1,13 @@
 server {
         listen {vhost_port} {ssl_on};
         listen [::]:{vhost_port} {ssl_on} ipv6only=on;
-		
-		{ssl_comment}ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+		{ssl_comment}ssl_protocols TLSv1.2;
         {ssl_comment}ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
         {ssl_comment}ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
         {ssl_comment}ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
         {ssl_comment}ssl_prefer_server_ciphers on;
-		
+
 		# redirect to https if accessed with http
 		{ssl_comment}error_page 497 https://$host:{vhost_port}$request_uri;
 
@@ -44,7 +44,7 @@ server {
         location ~ /\. {
                deny  all;
         }
-		
+
 #        location /phpmyadmin {
 #               root /usr/share/;
 #               index index.php index.html index.htm;
@@ -64,7 +64,7 @@ server {
 #        location /phpMyAdmin {
 #               rewrite ^/* /phpmyadmin last;
 #        }
-#		
+#
 #        location /squirrelmail {
 #               root /usr/share/;
 #               index index.php index.html index.htm;
diff --git a/install/tpl/opensuse_dovecot2.conf.master b/install/tpl/opensuse_dovecot2.conf.master
index 62c9939819..9624c05684 100644
--- a/install/tpl/opensuse_dovecot2.conf.master
+++ b/install/tpl/opensuse_dovecot2.conf.master
@@ -6,7 +6,9 @@ log_timestamp = "%Y-%m-%d %H:%M:%S "
 mail_privileged_group = vmail
 ssl_cert = </etc/postfix/smtpd.cert
 ssl_key = </etc/postfix/smtpd.key
-ssl_protocols = !SSLv2 !SSLv3
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_prefer_server_ciphers = no
 mail_plugins = quota
 passdb {
   args = /etc/dovecot/dovecot-sql.conf
@@ -79,7 +81,7 @@ mail_plugins = $mail_plugins quota
 #2.3+         group = vmail
 #2.3+         mode = 0660
 #2.3+     }
-#2.3+ 
+#2.3+
 #2.3+     unix_listener stats-writer {
 #2.3+         user = vmail
 #2.3+         group = vmail
@@ -122,4 +124,3 @@ namespace inbox {
     special_use = \Trash
   }
 }
-
diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master
index d254e3ccb5..545dcb1080 100644
--- a/install/tpl/opensuse_postfix.conf.master
+++ b/install/tpl/opensuse_postfix.conf.master
@@ -37,10 +37,13 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
 body_checks = regexp:{config_dir}/body_checks
 inet_interfaces = all
 smtp_tls_security_level = may
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_protocols = !SSLv2,!SSLv3
-smtp_tls_protocols = !SSLv2,!SSLv3
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_exclude_ciphers = RC4, aNULL
 smtp_tls_exclude_ciphers = RC4, aNULL
+smtpd_tls_mandatory_ciphers = medium
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+tls_preempt_cipherlist = no
 # needed for postfix < 3.3 when using reject_unverified_recipient (lmtp):
 enable_original_recipient = yes
-- 
GitLab


From 4189017a3a443758613ecc2521d01198cd1616e7 Mon Sep 17 00:00:00 2001
From: thom <thom@amsterdamtech.nl>
Date: Mon, 10 Aug 2020 12:30:01 +0200
Subject: [PATCH 2/2] Add ssl_protocols for backwards compatibility (#5423)

---
 install/tpl/debian6_dovecot2.conf.master | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install/tpl/debian6_dovecot2.conf.master b/install/tpl/debian6_dovecot2.conf.master
index ce27f2376e..1080eeb559 100644
--- a/install/tpl/debian6_dovecot2.conf.master
+++ b/install/tpl/debian6_dovecot2.conf.master
@@ -7,6 +7,7 @@ mail_privileged_group = vmail
 ssl_cert = </etc/postfix/smtpd.cert
 ssl_key = </etc/postfix/smtpd.key
 ssl_dh = </etc/dovecot/dh.pem
+ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 ssl_prefer_server_ciphers = no
-- 
GitLab