From b398f74851918d826b7daa237c6765130bcaa23e Mon Sep 17 00:00:00 2001
From: Hinrikus Wolf <mail@hinrikus-wolf.de>
Date: Mon, 19 Feb 2018 18:22:57 +0100
Subject: [PATCH] refactor tls_ciphers

---
 dovecot/templates/conf.d/10-ssl.conf.j2 | 3 +--
 postfix/templates/main.cf.j2            | 3 ++-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dovecot/templates/conf.d/10-ssl.conf.j2 b/dovecot/templates/conf.d/10-ssl.conf.j2
index 6f348cb..7aadb4b 100644
--- a/dovecot/templates/conf.d/10-ssl.conf.j2
+++ b/dovecot/templates/conf.d/10-ssl.conf.j2
@@ -51,8 +51,7 @@ ssl_protocols = TLSv1.1 TLSv1.2 !SSLv3
 # SSL ciphers to use
 #ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!SHA1
 #Supported Ciphers downto Android 2.3
-ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-
+ssl_cipher_list = {{ tls_ciphers }}
 
 # Prefer the server's order of ciphers over client's.
 ssl_prefer_server_ciphers = yes
diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2
index 9b06fc6..4b42739 100644
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -33,10 +33,11 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtpd_tls_mandatory_protocols = !TLSv1 !SSLv2, !SSLv3
 smtpd_tls_protocols = !TLSv1 !SSLv2 !SSLv3
 smtpd_tls_mandatory_ciphers=high
-tls_high_cipherlist=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+tls_high_cipherlist = {{ tls_ciphers }}
 smtpd_tls_eecdh_grade=ultra
 
 
+
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 smtpd_sasl_type = dovecot
-- 
GitLab