##
## SSL settings
##
## Version 2.2.x (AR14759611)

# --------------------------------------------------------------------
# *** Please read this section before modifying this file ***
#
# Several of the keys and values within this file are modified by
#   Apple's Server Admin application.  Each key that is automatically
#   modified by the Server Admin app is identified with a comment
#   preceding the key with this note:
#   
# Note: This key is managed by Server Admin. See above before making changes
# 
# --------------------------------------------------------------------

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# Note: This key is managed by Server Admin. See above before making changes
ssl = required

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
# Note: This key is managed by Server Admin. See above before making changes
ssl_cert = <@PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
# Note: This key is managed by Server Admin. See above before making changes
ssl_key = <@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted

# To use macOS Server v5.10 generated certificates:
#
# 0. Identify the file that looks like @host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem
# and verify its issue date and issuer "* Intermediate CA" with:
#
# $ ls /etc/certificates
# $ openssl x509 -inform pem -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem -text -noout
# $ openssl x509 -noout -fingerprint -sha1 -inform pem -in openssl x509 -noout -fingerprint -sha1 -inform pem -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||' | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||'
# 
# Use this SHA1 to obtain the passphraphse for this certificate's private key from:
#
# Keychain Access.app> System> Search for this SHA1>
#   Double-click "Mac OS X Server certificate management"> Show password
#
# 1. Create a secure storage for this passphrase and desctrypted key:
# 
# $ sudo mkdir -p @PREFIX@/etc/certificates/private
# $ sudo chmod 0700 @PREFIX@/etc/certificates/private
# $ sudo vi @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase /etc/certificates/private
# $ sudo chmod -R go-rwx @PREFIX@/etc/certificates/private
# 
# `ssl_key_password` wasn't working on my install, so put the decrypted key in @PREFIX@/etc/certificates/private
# 
# $ sudo openssl pkey -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem -out @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted -passin file:@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase
# $ sudo chmod -R go-rwx @PREFIX@/etc/certificates/private
# 
# 2. Link to the existing TLS chain.
#
# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem @PREFIX@/etc/certificates
# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem @PREFIX@/etc/certificates
# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem @PREFIX@/etc/certificates
# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.concat.pem @PREFIX@/etc/certificates
# 
# 3. Confirm restricted permissions:
#
# $ ls -l @PREFIX@/etc/certificates
# $ sudo ls -l @PREFIX@/etc/certificates/private
#
# 4. Finally, reconfigure dovecot's conf.d/10-ssl.conf, postfix's master.cf,
# and, if installed, calendar-contacts-server's proxy nginx.conf:
#
# $ sudo vi @PREFIX@/etc/dovecot/conf.d/10-ssl.conf
# $ sudo vi @PREFIX@/etc/postfix/main.cf
# $ sudo vi @PREFIX@/var/calendarserver/Library/CalendarServer/etc/nginx.conf

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password = <@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase

# PEM encoded trusted certificate authority. Set this only if you intend to
# use ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
# Note: This key is managed by Server Admin. See above before making changes
ssl_ca = <@PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem

# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend). The
# directory is usually /etc/ssl/certs in Debian-based systems and the file is
# /etc/pki/tls/cert.pem in RedHat-based systems.
#ssl_client_ca_dir =
#ssl_client_ca_file =

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
# Note: This key is managed by Server Admin. See above before making changes
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to
# set auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168

# Diffie-Hellman is necessary for the modern crypto settings
# sudo openssl dhparam -out @PREFIX@/etc/dovecot/dh4096.pem 4096
#ssl_dh = <@PREFIX@/etc/dovecot/dh4096.pem
# create a shorter, faster DH parameter file for the default installation
ssl_dh = <@PREFIX@/etc/dovecot/dh2048.pem

# SSL protocols to use
# macOS Server v.5.6 configuration:
# ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use
# macOS Server v.5.6 configuration:
# ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

# require modern crypto - taken from Mozilla's SSL recommendations page
# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_min_protocol = TLSv1.2
ssl_cipher_list=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl_prefer_server_ciphers = yes