User Tools

Site Tools


How To Change the Dovecot SSL/TLS Protocols/Ciphers For DirectAdmin

If you need to strengthen the Dovecot default SSL/TLS ciphers and protocols, you can do so but you must do so in a manner compatible with CustomBuild. CustomBuild will overwrite any changes you make if you do not place these edits in a custom/ directory so that CustomBuild recognizes the changes.

The custom/ directory may not exist, so you can create it if not, and then copy of the original ssl.conf for Dovecot to this directory, make your changes, and rebuild Dovecot. Your changes will be preserved then.

Run the following to create the custom/ directory and copy the default ssl.conf file to it:

  cd /usr/local/directadmin/custombuild
  mkdir -p custom/dovecot/conf
  cp configure/dovecot/conf/ssl.conf custom/dovecot/conf/ssl.conf

Now change your ciphers and/or protocols as desired using a file editor such as nano or vim. For example, if a PCI Compliance vendor requires TLSv1.2, then change the ssl_min_protocol line in the ssl.conf file to look like this:

  ssl_min_protocol = TLSv1.2

And run this to rewrite the configuration and restart Dovecot:

  ./build dovecot_conf

Now, to test the available protocols and ciphers, you can use nmap as the root user from within the server like so:

  nmap localhost -p 993 --script ssl-enum-ciphers

To note, you could run this from outside the server as well by replacing localhost with the server hostname/IP, or a domain that resolves to the server.

control-panels/directadmin/how-to-change-the-dovecot-ssl-protocols.txt · Last modified: 2020/06/01 14:47 by Karson N.