From 46fe2c25c8c92f4d11d94b319072a7667aa24746 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 23 Apr 2025 15:54:03 +0200
Subject: [PATCH] dovecot: prefer client cipher list

All ciphers in TLSv1.2/TLSv1.3 are considered secure, so we can allow the
client to choose the most performant cipher according to their hardware
and software configuration.

This is in line with general recommendations, e.g. by Mozilla[1].

[1] https://wiki.mozilla.org/Security/Server_Side_TLS
---
 mail-server/dovecot.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index 8e6d2b2..31855db 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -297,7 +297,7 @@ in
         mail_access_groups = ${vmailGroupName}
         ssl = required
         ssl_min_protocol = TLSv1.2
-        ssl_prefer_server_ciphers = yes
+        ssl_prefer_server_ciphers = no
 
         service lmtp {
           unix_listener dovecot-lmtp {