ssl.conf revision 277c0eea825eec176cddc029af68f5a4d942e16e
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen## SSL settings
e1e5b1f4ada9d9b4d36edeaf1c5229be90b12815Timo Sirainen# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# dropping root privileges, so keep the key file unreadable by anyone but
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen# root. Included doc/mkcert.sh can be used to easily generate self-signed
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# certificate, just make sure to update the domains in dovecot-openssl.cnf
c0435c854a0e7246373b9752d163095cc4fbe985Timo Sirainen# If key file is password protected, give the password here. Alternatively
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# give it when starting dovecot with -p parameter. Since this file is often
cd466fe7b84b0223735a6469c7f7bc225f65996dTimo Sirainen# world-readable, you may want to place this setting instead to a different
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# root owned 0600 file by using !include_try <path>.
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#ssl_key_password =
d56384d5226c8860079d0d0b08b83404e8c42986Timo Sirainen# PEM encoded trusted certificate authority. Set this only if you intend to use
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
d56384d5226c8860079d0d0b08b83404e8c42986Timo Sirainen# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# Request client to send a certificate. If you also want to require it, set
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# auth_ssl_require_client_cert=yes in auth section.
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#ssl_verify_client_cert = no
4b058f90f9e8a2c6b2eed275de4eb8cc5195a71dTimo Sirainen# Which field from certificate to use for username. commonName and
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# x500UniqueIdentifier are the usual choices. You'll also need to set
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# auth_ssl_username_from_cert=yes.
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen#ssl_cert_username_field = commonName
33ca6b017b6ebbd048651b5e3d16915001dbc291Timo Sirainen# How often to regenerate the SSL parameters file. Generation is quite CPU
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen# intensive operation. The value is in hours, 0 disables regeneration
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen#ssl_parameters_regenerate = 168
6a9f9a5101b665fd2ef80c9e048a5eace78e01efTimo Sirainen# SSL ciphers to use
6a9f9a5101b665fd2ef80c9e048a5eace78e01efTimo Sirainen#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL