After enabling PCI DSS compliance for Dovecot with:
I noticed the following changes from Plesk's default Dovecot setup:
Dovecot seems to be recommending:
Why is Plesk's PCI DSS resolver tool setting
Using Plesk Obsidian 18.0.27 for Linux.
Code:
# plesk sbin pci_compliance_resolver --enable dovecot
I noticed the following changes from Plesk's default Dovecot setup:
Code:
# diff -U0 /root/dovecot/conf.d/11-plesk-security-ssl.conf /etc/dovecot/conf.d/11-plesk-security-ssl.conf
--- /root/dovecot/conf.d/11-plesk-security-ssl.conf 2020-06-04 21:15:45.710984674 +0200
+++ /etc/dovecot/conf.d/11-plesk-security-ssl.conf 2020-06-04 21:19:59.490591720 +0200
@@ -1,4 +1,4 @@
-ssl_min_protocol=TLSv1
-ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH
-ssl_prefer_server_ciphers=yes
-ssl_dh=</usr/local/psa/etc/dhparams1024.pem
+ssl_min_protocol=TLSv1.2
+ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20
+ssl_prefer_server_ciphers=no
+ssl_dh=</usr/local/psa/etc/dhparams2048.pem
Dovecot seems to be recommending:
See SSL/DovecotConfiguration - Dovecot WikiYou should usually prefer server ciphers and their order, so setting
is recommended.Code:ssl_prefer_server_ciphers=yes
Why is Plesk's PCI DSS resolver tool setting
ssl_prefer_server_ciphers
to "no"?Using Plesk Obsidian 18.0.27 for Linux.