Support TLS and STARTTLS for mail

7 years ago · ba4ed579df
parent 4892fe47e6
commit ba4ed579df
3 changed files with 45 additions and 10 deletions
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@ -24,15 +24,8 @@ http {
      # TLS configuration
      {% if TLS and not TLS_ERROR %}
      listen 443 ssl;
-
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
-      ssl_prefer_server_ciphers on;
-      ssl_session_timeout 5m;
-      ssl_session_cache shared:SSL:50m;
-      ssl_certificate {{ TLS[0] }};
-      ssl_certificate_key {{ TLS[1] }};
-
+      include /etc/nginx/tls.conf;
+      ssl_session_cache shared:SSLHTTP:50m;
      add_header Strict-Transport-Security max-age=15768000;

      if ($scheme = http) {
@ -89,15 +82,49 @@ mail {
    auth_http http://{{ ADMIN_ADDRESS }}/internal/nginx;
    proxy_pass_error_message on;

+    {% if TLS and not TLS_ERROR %}
+    include /etc/nginx/tls.conf;
+    ssl_session_cache shared:SSLMAIL:50m;
+    {% endif %}
+
    server {
      listen 25;
+      {% if TLS_FLAVOR != 'notls' %}
+      starttls on;
+      {% endif %}
+      protocol smtp;
+      smtp_auth none;
+    }
+
+    {% if not TLS_ERROR %}
+    server {
+      listen 143;
+      {% if TLS %}
+      starttls only;
+      {% endif %}
+      protocol imap;
+      imap_auth plain;
+    }
+
+    {% if TLS %}
+    server {
+      listen 465 ssl;
      protocol smtp;
      smtp_auth plain;
    }

    server {
-      listen 143;
+      listen 597;
+      starttls only;
+      protocol smtp;
+      smtp_auth plain;
+    }
+
+    server {
+      listen 993 ssl;
      protocol imap;
      imap_auth plain;
    }
+    {% endif %}
+    {% endif %}
 }
--- a/nginx/conf/tls.conf
+++ b/nginx/conf/tls.conf
@ -0,0 +1,7 @@
+ssl_protocols TLSv1.1 TLSv1.2;
+ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+ssl_prefer_server_ciphers on;
+ssl_session_timeout 5m;
+ssl_certificate {{ TLS[0] }};
+ssl_certificate_key {{ TLS[1] }};
+
--- a/nginx/config.py
+++ b/nginx/config.py
@ -23,5 +23,6 @@ if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"
    args["TLS_ERROR"] = "yes"


+convert("/conf/tls.conf", "/etc/nginx/tls.conf", args)
 convert("/conf/nginx.conf", "/etc/nginx/nginx.conf", args)
 os.system("nginx -s reload")