main/dovecot: more secure default config

1 files changed, 32 insertions, 0 deletions

diff --git a/main/dovecot/default-config.patch b/main/dovecot/default-config.patch
new file mode 100644
index 0000000000..17e2077cec
--- /dev/null
+++ b/main/dovecot/default-config.patch
@@ -0,0 +1,32 @@
+--- a/doc/example-config/conf.d/10-mail.conf
++++ b/doc/example-config/conf.d/10-mail.conf
+@@ -322,6 +322,7 @@ protocol !indexer-worker {
+ # them simultaneously.
+ #mbox_read_locks = fcntl
+ #mbox_write_locks = dotlock fcntl
++mbox_write_locks = fcntl
+ 
+ # Maximum time to wait for lock (all of them) before aborting.
+ #mbox_lock_timeout = 5 mins
+--- a/doc/example-config/conf.d/10-ssl.conf
++++ b/doc/example-config/conf.d/10-ssl.conf
+@@ -3,7 +3,10 @@
+ ##
+ 
+ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+-#ssl = yes
++# Disable plain (unencrypted) POP3 and IMAP, allowed are only POP3+TLS,
++# POP3S, IMAP+TLS and IMAPS.
++# Plain IMAP and POP3 are still allowed for local connections.
++ssl = required
+ 
+ # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+ # dropping root privileges, so keep the key file unreadable by anyone but
+@@ -57,6 +59,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
+ #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ # To disable non-EC DH, use:
+ #ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
++ssl_cipher_list = PROFILE=SYSTEM
+ 
+ # Colon separated list of elliptic curves to use. Empty value (the default)
+ # means use the defaults from the SSL library. P-521:P-384:P-256 would be an