MailSslModule

WARNING: this article is obsoleted. Please refer to http://nginx.org/en/docs/ for the latest official documentation.

= Synopsis = This module ensures SSL/TLS support for POP3/IMAP/SMTP. Configuration is practically identical to the configuration of the HTTP SSL module, but checking client certificates is not supported.

= Directives =

ssl
syntax: ssl on | off

default: ssl off

context: mail, server

Enables SSL/TLS for this virtual server.

ssl_certificate
syntax: ssl_certificate file

default: cert.pem

context: mail, server

Indicates file with the certificate in PEM format for this virtual server. The same file can contain other certificates, and also secret key in PEM format.

ssl_certificate_key
syntax: ssl_certificate_key file

default: cert.pem

context: mail, server

Indicates file with the secret key in PEM format for this virtual server.

ssl_ciphers
syntax: ssl_ciphers file ciphers

default: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

context: mail, server

Directive describes the permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL.

ssl_prefer_server_ciphers
syntax: ssl_prefer_server_ciphers on | off

default: off

context: mail, server

Requires protocols SSLv3 and TLSv1 server ciphers be preferred over the client's ciphers.

ssl_protocols
syntax: ssl_protocols [SSLv2] [SSLv3]  [TLSv1] 

default: SSLv2 SSLv3 TLSv1

context: mail, server

Directive enables the protocols indicated.

ssl_session_cache
syntax: ssl_session_cache [builtin[ :size  [shared:name:size] 

default: builtin:20480

context: mail, server

The directive sets the types and sizes of caches to store the SSL sessions. The cache types are:

It is possible to use both types of cache simultaneously, for example: ssl_session_cache builtin:1000  shared:SSL:10m; However, the only shared cache usage without that builtin should be more effective.
 * builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions.
 * shared -- the cache is shared between all worker processes. The size of cache is assigned in the bytes, 1 MB cache can contain about 4000 sessions. Each shared cache must have arbitrary name. Cache with the same name can be used in several virtual servers.

ssl_session_timeout
syntax: ssl_session_timeout time

default: 5m

context: mail, server

Assigns the time during which the client can repeatedly use the parameters of the session, which is stored in the cache.

starttls
syntax: starttls on | off | only

default: off

context: mail, server


 * on - permit the use of commands STLS for POP3 and STARTTLS for IMAP/SMTP
 * off - do not allow command STLS/STARTTLS
 * only - announce STLS/STARTTLS support and require that clients use TLS encryption

= References =