Webmail accessive Dovecot logins

A. Schulze sca at andreasschulze.de
Fri Oct 30 13:16:01 UTC 2015


David Mehler:

> Second question, in the doveconf -n there's reference to my ssl_cipher
> am I  using current tls ciphers that support pfs?


> ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL

some non pfs cipher would be still active. check yourself:
# openssl ciphers -v 'ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL' | grep -v DH

you disable the SSLv3 *cipher list* here. That's may be not the  
expected result.
The *cipher list* SSLv3 is also used by TLSv1+ *protocols*.
I suggest reading (again?)  
https://bettercrypto.org/static/applied-crypto-hardening.pdf

> ssl_protocols = TLSv1 !SSLv3 !SSLv2
that disable SSLv2, SSLv3 but would also disable TLSv1.1 and TLSv1.2  
your ssl library may support otherwise.

better:
ssl_protocols = !SSLv3 !SSLv2

finally you could use the service provided by ssllabs.com to scan your host.
It's a little bit tricky. ssllabs allow only to scan on port 443
So you may configure your host for imaps ( not imap + STARTTLS ) on port 443
and use ssllabs.com. But that require you do not run a regular HTTPS  
webserver on the same host.

Andreas



More information about the dovecot mailing list