Hi all,
Ten years after the fact I learned about POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerabilities, which enable a poorly configured server to force my client to downgrade to vulnerable encryption.
My current conf.d/10-ssl.conf contains the following line:
ssl_cipher_list = ALL:!LOW:!SSLv3:!EXP:!aNULL
I've read that I should change the preceding line to the following:
ssl_protocols = !SSLv3 !SSLv2
Is this correct?
For some reason I have the same ssl_cipher_list in dovecot.conf. Should I make the change there too?
Is there anything else I need to change? The following is my current dovecot.conf:
=================================================
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# OS: Linux 5.10.12_1 x86_64
# Hostname: mydesk.domain.cxm
mail_location = maildir:~/mail/Maildir:INBOX=~/mail/Maildir/.INBOX
namespace inbox {
inbox = yes
location =
prefix =
}
passdb { driver = pam args = %s }
userdb { driver = passwd }
protocols = imap service imap-login { inet_listener imap { #port = 143 port = 0 } inet_listener imaps { port = 993 #port = 0 ssl = yes #ssl = no } } ssl = required #ssl = yes ssl_cert = </etc/ssl/dovecot_certs/certs/dovecot.pem ssl_cipher_list = ALL:!LOW:!SSLv3:!EXP:!aNULL ssl_key = </etc/ssl/dovecot_certs/private/dovecot.pem
By the way, does the preceding dovecot.conf even use the files in directories off conf.d ?
Thanks,
SteveT
Steve Litt
Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21