jengelh
commented
3 months ago Having to edit cipher lists for every individual daemon does not scale very well for an administrator. Gromox thus decided not to offer this and instead just reuse the global (system-wide) configuration. If you want to include or exclude specific TLS versions or ciphers, you do that via openssl.cnf, cf. config(5) manpage section "SSL Configuration".
In SUSE (and RHEL), there is a mechanism called crypto-policies that not only does it for openssl.cnf but a handful of daemons. In addition, there are a few predefined levels provided for convenience, including one that is aptly named BSI.
https://en.opensuse.org/SDB:Crypto-policies https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
robert-scheck
As of writing,
gromox/{imap,pop3}don't support configuration of TLSv1.2/1.3 ciphers (and ordering). What is missing equals actually NGINX settingsssl_ciphers(TLSv1.2),ssl_prefer_server_ciphers(TLSv1.2) andssl_ecdh_curve(TLSv1.3). Any chance to have this in the future?IIRC Zarafa (and later Kopano Core as a fork) supported at least the TLSv1.2-compatible part due to https://github.com/robert-scheck/zarafa-patches/blob/main/zarafa-7.1.10-ssl_protocols_ciphers.patch, which might be an inspiration for implementation.
Technical Guideline TR-02102-2: Cryptographic Mechanisms: Recommendations and Key Lengths from the German Federal Office for Information Security ("BSI") recommends specific ciphers, which unfortunately can currently not be configured in
gromox/{imap,pop3}.