Buster Compat and Improved TLS Settings (!3) · Merge requests · infra / ansible-shared / communication

Lars Beckers requested to merge ext-2 into master Jul 21, 2019

Dovecot updated some TLS parameters in their config file. This adds the new parameters in a backward compatible manner.

Prompted by that move, I also changed dovecot and postfix to a preset-based configuration of TLS. The default preset is previous, that should get you a equivalent configuration as before, regardless of being on stretch or buster (minus OpenSSL changes). Also, there are presets modern, intermediate, old directly from the new https://ssl-config.mozilla.org. But beware, at least dovecot currently errors on TLSv1.3-only modern although OpenSSL should be able to handle it. The preset overrides all manual configuration, so you should upgrade your custom variables.

Beware, that there are two open bugs on Debian's dovecot package which may impact your setup:

928492: doveadm errors on listing PAM users, because of a glibc change
930919: dsync no longer syncs Sieve scripts

For both bugs there is a patch on the dovecot repository that is already merged. But none made it into Debian yet.

Buster Compat and Improved TLS Settings

Merge request reports