Webmail accessive Dovecot logins
Joseph Tam
jtam.home at gmail.com
Fri Oct 30 20:23:04 UTC 2015
"A. Schulze" writes:
> David Mehler:
>
>> Second question, in the doveconf -n there's reference to my ssl_cipher
>> am I using current tls ciphers that support pfs?
>
>> ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL
>
> some non pfs cipher would be still active. check yourself:
> # openssl ciphers -v 'ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL' | grep -v DH
You'll want the 'E' variation (ephemeral) of the DH algorithms, and
preferably, the ECDHE variety as they are faster and supported on more
browsers. The pattern to search for (or exclude) is "DHE"
openssl ciphers -v {cipher-specs} | grep DHE
If the OP wants preferentially use PFS ciphers (but keep the other
ciphers around for very old browsers), maybe something like
ssl_cipher_list = ECDH:ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_prefer_server_ciphers = yes
> finally you could use the service provided by ssllabs.com to scan your host.
I second this recommendation, if you can work out the port issue. Maybe using
a ncat | ncat pipe.
Joseph Tam <jtam.home at gmail.com>
More information about the dovecot
mailing list