Drop support TLS1.1 from dovecot (hestiacp#2538)

jaapmarcus · web-flow · commit 83a18e0ee532 · 2022-04-18T15:55:38.000+02:00
* Drop support TLS1.1 from dovecot EOL since 2020 any way and should not been used anymore hestiacp#2012 * Fix syntax error
diff --git a/install/deb/dovecot/conf.d/10-ssl.conf b/install/deb/dovecot/conf.d/10-ssl.conf
@@ -1,6 +1,5 @@
 ssl = yes
-# See #2012 for TLSv1.1 to 1.2 upgrade
-ssl_min_protocol = TLSv1.1
+ssl_min_protocol = TLSv1.2
 ssl_prefer_server_ciphers = yes
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -1682,7 +1682,7 @@ if [ "$dovecot" = 'yes' ]; then
       echo "[ * ] Downgrade dovecot config to sync with 2.2 settings"	
       sed -i 's|#ssl_dh_parameters_length = 4096|ssl_dh_parameters_length = 4096|g' /etc/dovecot/conf.d/10-ssl.conf
       sed -i 's|ssl_dh = </etc/ssl/dhparam.pem|#ssl_dh = </etc/ssl/dhparam.pem|g' /etc/dovecot/conf.d/10-ssl.conf
-      sed -i 's|ssl_min_protocol = TLSv1.1|ssl_protocols = !SSLv3 !TLSv1|g' /etc/dovecot/conf.d/10-ssl.conf
+      sed -i 's|ssl_min_protocol = TLSv1.2|ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1|g' /etc/dovecot/conf.d/10-ssl.conf
     fi
     
     update-rc.d dovecot defaults
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -1756,7 +1756,7 @@ if [ "$dovecot" = 'yes' ]; then
       echo "[ * ] Downgrade dovecot config to sync with 2.2 settings"	
       sed -i 's|#ssl_dh_parameters_length = 4096|ssl_dh_parameters_length = 4096|g' /etc/dovecot/conf.d/10-ssl.conf
       sed -i 's|ssl_dh = </etc/ssl/dhparam.pem|#ssl_dh = </etc/ssl/dhparam.pem|g' /etc/dovecot/conf.d/10-ssl.conf
-      sed -i 's|ssl_min_protocol = TLSv1.1|ssl_protocols = !SSLv3 !TLSv1|g' /etc/dovecot/conf.d/10-ssl.conf
+      sed -i 's|ssl_min_protocol = TLSv1.2|ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1|g' /etc/dovecot/conf.d/10-ssl.conf
     fi
     
     update-rc.d dovecot defaults
diff --git a/install/upgrade/versions/1.6.0.sh b/install/upgrade/versions/1.6.0.sh
@@ -48,6 +48,13 @@ if [ "$MAIL_SYSTEM" = "exim4" ]; then
     fi
 fi
 
+if [ -f "/etc/dovecot/conf.d/10-ssl.conf" ]; then
+    sed -i 's|ssl_min_protocol = TLSv1.1|ssl_min_protocol = TLSv1.2|' /etc/dovecot/conf.d/10-ssl.conf
+    if ! grep -q "!TLSv1.1" /etc/dovecot/conf.d/10-ssl.conf; then
+        sed -i 's|ssl_protocols = !SSLv3 !TLSv1|ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1|' /etc/dovecot/conf.d/10-ssl.conf
+    fi
+fi
+
 # Adding LE autorenew cronjob if there are none
 if [ -z "$(grep v-update-lets $HESTIA/data/users/admin/cron.conf)" ]; then
 	min=$(generate_password '012345' '2')
