Webmail accessive Dovecot logins

Joseph Tam jtam.home at gmail.com
Fri Oct 30 20:23:04 UTC 2015


"A. Schulze"  writes:

> David Mehler:
>
>> Second question, in the doveconf -n there's reference to my ssl_cipher
>> am I  using current tls ciphers that support pfs?
>
>> ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL
>
> some non pfs cipher would be still active. check yourself:
> # openssl ciphers -v 'ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL' | grep -v DH

You'll want the 'E' variation (ephemeral) of the DH algorithms, and
preferably, the ECDHE variety as they are faster and supported on more
browsers.  The pattern to search for (or exclude) is "DHE"

 	openssl ciphers -v {cipher-specs} | grep DHE

If the OP wants preferentially use PFS ciphers (but keep the other
ciphers around for very old browsers),  maybe something like

 	ssl_cipher_list = ECDH:ALL:!LOW:!SSLv2:!EXP:!aNULL
 	ssl_prefer_server_ciphers = yes

> finally you could use the service provided by ssllabs.com to scan your host.

I second this recommendation, if you can work out the port issue.  Maybe using
a ncat | ncat pipe.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list