FAQ

Page Discussion History

MailSslModule

Revision as of 19:29, 22 September 2010 by MichaelLustfield (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Contents

Synopsis

This module ensures SSL/TLS support for POP3/IMAP/SMTP. Configuration is practically identical to the configuration of the HTTP SSL module, but checking client certificates is not supported.

Directives

ssl

syntax: ssl on | off

default: ssl off

context: mail, server

Enables SSL/TLS for this virtual server.

ssl_certificate

syntax: ssl_certificate file

default: cert.pem

context: mail, server

Indicates file with the certificate in PEM format for this virtual server. The same file can contain other certificates, and also secret key in PEM format.

ssl_certificate_key

syntax: ssl_certificate_key file

default: cert.pem

context: mail, server

Indicates file with the secret key in PEM format for this virtual server.

ssl_ciphers

syntax: ssl_ciphers file ciphers

default: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

context: mail, server

Directive describes the permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL.

ssl_prefer_server_ciphers

syntax: ssl_prefer_server_ciphers on | off

default: off

context: mail, server

Requires protocols SSLv3 and TLSv1 server ciphers be preferred over the client's ciphers.

ssl_protocols

syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1]

default: SSLv2 SSLv3 TLSv1

context: mail, server

Directive enables the protocols indicated.

ssl_session_cache

syntax: ssl_session_cache [builtin[:size [shared:name:size]

default: builtin:20480

context: mail, server

The directive sets the types and sizes of caches to store the SSL sessions.
The cache types are:

  • builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions.
  • shared -- the cache is shared between all worker processes. The size of cache is assigned in the bytes, 1 MB cache can contain about 4000 sessions. Each shared cache must have arbitrary name. Cache with the same name can be used in several virtual servers.
It is possible to use both types of cache simultaneously, for example:
ssl_session_cache  builtin:1000  shared:SSL:10m;

However, the only shared cache usage without that builtin should be more effective.

ssl_session_timeout

syntax: ssl_session_timeout time

default: 5m

context: mail, server

Assigns the time during which the client can repeatedly use the parameters of the session, which is stored in the cache.

starttls

syntax: starttls on | off | only

default: off

context: mail, server

  • on - permit the use of commands STLS for POP3 and STARTTLS for IMAP/SMTP
  • off - do not allow command STLS/STARTTLS
  • only - announce STLS/STARTTLS support and require that clients use TLS encryption

References