[Dovecot] How to disable SSL and TLSv1.1?
Hans Spaans
hans at dailystuff.nl
Thu Sep 12 18:46:33 EEST 2013
Patrick Lists schreef op 2013-09-12 09:23:
> Hi Noel,
>
> On 09/12/2013 08:54 AM, Noel Butler wrote:
> [snip]
>> I'm always of the belief that if one person wants a feature, they
>> might
>> be the only vocal person, but they are never really alone, so post
>> your
>> patch, Timo can only either pull it in, or decline it, as for its
>> useful
>> for others, only time will tell, but not even god will help those who
>> use it on a commercial network with paying customers - thats just
>> plain
>> professional suicide.
>
> Unless it was clearly stated what the requirements are when they sign
> up. With NIST sleeping at the helm and the NSA having a field day it
> would not surprise me if businesses understand the importance of
> stronger encryption.
Why not turn it around? Why not tell the paying customer he is using an
unencrypted connection or with options that are insecure. Parse the
logfiles and make an additional section on the website where he/she can
see from where he/she had a successful login and the security level?
Make it red for unencrypted, orange/amber for insecure and green for a
"secure" connection. Most people like to have everything in the green
and you give them a choice what to do. Also the cost is almost nothing
for doing this. You could even make it a service for companies who get a
weekly/monthly PDF with an overview.
For now only Dovecot tells if it is a TLS-connection or not. Postfix for
example already tells if it is TLSv1 connection and the cipher. If this
could be extended then sysadmins have a way to make a decision about the
path to follow or to advise to management.
Hans
More information about the dovecot
mailing list