Option to disable client-initiated renegotiation

Aki Tuomi aki.tuomi at open-xchange.com
Mon Mar 13 13:43:22 UTC 2023

> On 13/03/2023 15:24 EET Serg <me at at.encryp.ch> wrote:
> Hello, is there any way to disallow client-initiated renegotiation at 
> the dovecot? I haven't found any mention of this feature within source 
> code as well as at the documentation.
> I am asking about it because without this feature mail server is 
> vulnerable to a TLS renegotiation DoS attack which can consume a lot of 
> CPU and is harder to combat comparing to a basic TLS connections flood.

There is no dovecot config option. However, you can use e.g. /etc/ssl/openssl.cnf to disable this (or whatever the default file in your system is):

openssl_conf = default_conf

ssl_conf = ssl_sect

system_default = system_default_sect

Options = NoRenegotiation


More information about the dovecot mailing list