Support TLS and STARTTLS for mail

master
kaiyou 7 years ago
parent 4892fe47e6
commit ba4ed579df

@ -24,15 +24,8 @@ http {
# TLS configuration # TLS configuration
{% if TLS and not TLS_ERROR %} {% if TLS and not TLS_ERROR %}
listen 443 ssl; listen 443 ssl;
include /etc/nginx/tls.conf;
ssl_protocols TLSv1.1 TLSv1.2; ssl_session_cache shared:SSLHTTP:50m;
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate {{ TLS[0] }};
ssl_certificate_key {{ TLS[1] }};
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=15768000;
if ($scheme = http) { if ($scheme = http) {
@ -89,15 +82,49 @@ mail {
auth_http http://{{ ADMIN_ADDRESS }}/internal/nginx; auth_http http://{{ ADMIN_ADDRESS }}/internal/nginx;
proxy_pass_error_message on; proxy_pass_error_message on;
{% if TLS and not TLS_ERROR %}
include /etc/nginx/tls.conf;
ssl_session_cache shared:SSLMAIL:50m;
{% endif %}
server { server {
listen 25; listen 25;
{% if TLS_FLAVOR != 'notls' %}
starttls on;
{% endif %}
protocol smtp;
smtp_auth none;
}
{% if not TLS_ERROR %}
server {
listen 143;
{% if TLS %}
starttls only;
{% endif %}
protocol imap;
imap_auth plain;
}
{% if TLS %}
server {
listen 465 ssl;
protocol smtp; protocol smtp;
smtp_auth plain; smtp_auth plain;
} }
server { server {
listen 143; listen 597;
starttls only;
protocol smtp;
smtp_auth plain;
}
server {
listen 993 ssl;
protocol imap; protocol imap;
imap_auth plain; imap_auth plain;
} }
{% endif %}
{% endif %}
} }

@ -0,0 +1,7 @@
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_certificate {{ TLS[0] }};
ssl_certificate_key {{ TLS[1] }};

@ -23,5 +23,6 @@ if args["TLS"] and not all(os.path.exists(file_path) for file_path in args["TLS"
args["TLS_ERROR"] = "yes" args["TLS_ERROR"] = "yes"
convert("/conf/tls.conf", "/etc/nginx/tls.conf", args)
convert("/conf/nginx.conf", "/etc/nginx/nginx.conf", args) convert("/conf/nginx.conf", "/etc/nginx/nginx.conf", args)
os.system("nginx -s reload") os.system("nginx -s reload")

Loading…
Cancel
Save