[Dovecot] TLS/SSL for Win8 & Outlook
Reindl Harald
h.reindl at thelounge.net
Fri May 9 12:40:35 UTC 2014
Am 09.05.2014 14:28, schrieb Sebastian Goodrick:
> For any reason I don't understand, there are ciphers listed twice in
> the old OpenSSL version but also once in the new version:
> EXP-RC2-CBC-MD5, EXP-RC4-MD5, RC4-MD5
EXP-RC4-MD5 != RC4-MD5
however, with a recent dovecot setup and openssl >= 1.0.1
you can and should order the ciphers on the serverside
the configuration belows disables as most important thing the
broken RC4 and supports even Outlook 2003 on WinXP which uses
DES-CBC3-SHA proven by dovecot logs
because it does not list any crap it is short enough that compatible
ciphers are always in the first 64 ones, you may use google to find
out why that is important if it comes to handshakes with older software
especially from Microsoft
these 21 ciphers are ordered by best possible encryption and are
passing serious security audits
ssl_prefer_server_ciphers = yes
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140509/bf80e9d8/attachment.sig>
More information about the dovecot
mailing list