Recommended Protocols?

[Jeremy Ardley]

On 10/11/20 1:52 pm, Nikolai Lusan wrote:
> Greetings,
>
> On Mon, 2020-11-09 at 23:42 -0600, Raymond Herrera wrote:
> > For several years I have been running the following in a Linux
> > server.
>
> > Dovecot Version: 2.0.9
>
> > *IMAP:*
> > Connection Security: SSL/TLS
> > Port: 993
> > Authentication Method: Normal Password

> > *SMTP:*
> > Connection Security: STARTTLS
> > Port: 587
> > Authentication Method: Normal Password
>
> Pretty standard setup.
>
> Personally I am using Postfix for SMTP/Submission and Dovecot for IMAP
> - both with STARTTLS. I use a couple of MX's to actually do the initial
> recieving of email, so everything auth related (and adress related) is
> in a multi-master LDAP server on each machine. Using Dovetcot-SASL for
> SMTP auth too.
>
> > The E-mail client is Thunderbird on Windows.
>
> I my experience pretty much any client works with this setup.
>

I also use STARTTLS, though I expose that on both IMAP and IMAPS ports, 
which is consistent with a number of major imap providers.

Selection of ciphers is important. I researched this recently and use 
this stanza in the configuration

ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes

The defaults in dovecot are shown commented in conf.d/10-ssl.conf. They 
are not best practice for security.

>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xFABD47B0F98E88C9.asc
Type: application/pgp-keys
Size: 655 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/6244839d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20201110/6244839d/attachment.sig>