summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2016-04-26 14:56:24 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2016-04-26 14:56:24 +0200
commitc90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c (patch)
treeb3c5f066f146876910ba88e361e4d52d159d7979
parentf50c98266e12f22819727c1f1e65268702c23241 (diff)
downloadnixos-c90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c.tar
nixos-c90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c.tar.gz
nixos-c90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c.tar.bz2
nixos-c90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c.tar.xz
nixos-c90d9f101a8c6d8a14fb154c19c2fcbf312e0c4c.zip
ssl params postfix
-rw-r--r--ymir.nix24
1 files changed, 24 insertions, 0 deletions
diff --git a/ymir.nix b/ymir.nix
index 1f3a45db..773b5a71 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -301,6 +301,30 @@ in rec {
301 destination = ["yggdrasil.li" "ymir.yggdrasil.li" "praseodym.org" "ymir.praseodym.org" "141.li" "ymir.141.li" "xmpp.li" "ymir.xmpp.li" "dirty-haskell.org" "explainuxul.de" "www.explainuxul.de" "lmu.li" "www.lmu.li" "localhost.yggdrasil.li" "localhost"]; 301 destination = ["yggdrasil.li" "ymir.yggdrasil.li" "praseodym.org" "ymir.praseodym.org" "141.li" "ymir.141.li" "xmpp.li" "ymir.xmpp.li" "dirty-haskell.org" "explainuxul.de" "www.explainuxul.de" "lmu.li" "www.lmu.li" "localhost.yggdrasil.li" "localhost"];
302 sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; 302 sslCert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
303 sslKey = "/var/lib/acme/yggdrasil.li/key.pem"; 303 sslKey = "/var/lib/acme/yggdrasil.li/key.pem";
304 extraConfig = ''
305 #the dh params
306 smtpd_tls_dh1024_param_file = /etc/ssl/dhparam.pem
307 smtpd_tls_dh512_param_file = /etc/ssl/dhparam.pem
308 #enable ECDH
309 smtpd_tls_eecdh_grade = strong
310 #enabled SSL protocols, don't allow SSLv2 and SSLv3
311 smtpd_tls_protocols= !SSLv2, !SSLv3
312 smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3
313 #allowed ciphers for smtpd_tls_security_level=encrypt
314 smtpd_tls_mandatory_ciphers = high
315 #allowed ciphers for smtpd_tls_security_level=may
316 #smtpd_tls_ciphers = high
317 #enforce the server cipher preference
318 tls_preempt_cipherlist = yes
319 #disable following ciphers for smtpd_tls_security_level=encrypt
320 smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
321 #disable following ciphers for smtpd_tls_security_level=may
322 #smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
323 #enable TLS logging to see the ciphers for inbound connections
324 smtpd_tls_loglevel = 1
325 #enable TLS logging to see the ciphers for outbound connections
326 smtp_tls_loglevel = 1
327 '';
304 }; 328 };
305 329
306 security.acme = { 330 security.acme = {