From a93e35a979daa08efb90503ed26412dd1bac6668 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sat, 15 Apr 2023 05:57:23 -0400
Subject: [PATCH] Update Cipher configuration (#118)

Signed-off-by: Tommy <contact@tommytran.io>
---
 .../posts/linux/Slightly Improving Mailcow Security.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/content/posts/linux/Slightly Improving Mailcow Security.md b/content/posts/linux/Slightly Improving Mailcow Security.md
index 957f26a..4f46a17 100644
--- a/content/posts/linux/Slightly Improving Mailcow Security.md	
+++ b/content/posts/linux/Slightly Improving Mailcow Security.md	
@@ -32,12 +32,16 @@ These security configurations can be added/modified in `data/conf/nginx/includes
 
 ### SSL Ciphers
 
-Consider only supporting ciphers matching that of TLSv1.3:
+Consider only supporting strong ciphers:
 
 ```
-ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256";
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ```
 
+And prioritize ChaCha ciphers:
+```
+ssl_conf_command Options PrioritizeChaCha;
+```
 ### HSTS
 
 Consider adding `includeSubDomains;` and `preload;` to the HSTS configuration if all of your services are using HTTPS:
@@ -93,4 +97,4 @@ If you do not use Gravatar with SOGo, you can also set COEP to require-corp sinc
 
 ```
 add_header Cross-Origin-Embedder-Policy require-corp;
-```
\ No newline at end of file
+```