[Dovecot] dovecot and PFS

Robert Schetterer rs at sys4.de
Tue Sep 10 11:14:50 EEST 2013


Am 10.09.2013 09:54, schrieb Emmanuel Dreyfus:
> Hi
> 
> Is there known advices on how to favor PFS with dovecot? 
> 
> In Apache, I use the following directives, with cause all modern 
> browsers to adopt 256 bit PFS ciphers, while keeping backward 
> compatibility with older browsers and avoiding BEAST attack:
> SSLProtocol all -SSLv2
> SSLHonorCipherOrder On
> SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10
> -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL
> 
> dovecot does not care about BEAST, since attacker cannot inject 
> trafic. Therefore the cipher list get simplier in dovecot.conf:
> ssl_cipher_list = ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:!MD5:!DES:!aNULL
> :!eNULL
> 
> But that list is good for browsers. I am not aware of documentation
> about what ciphers are advertised by various mail client. How can I 
> know if that setting has some success pushing PFS? How can I 
> discover which clients fail to negociate PFS ciphers?
> 
> 

to my last tests
if you want to stay compatible to most clients use the defaults, if do
changes it might fail with old clients, however change might be
acceptable with i.e company only mail systems with using only a few
known clients.

sorry only german

http://sys4.de/de/blog/2013/08/15/dovecot-tls-perfect-forward-secrecy/

some advice for apple mail

http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


More information about the dovecot mailing list