On 12 Jun 2020, at 01:02, Marius Rasch dovecot@email.marius-rasch.de wrote:
Am 11.06.20 um 18:08 schrieb @lbutlr:
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Why are you doing this?
I set this according to this page: https://weakdh.org/sysadmin.html
Hmm. I am generally dismissive of anything about security that is undated.
It was recommended in the ArchLinux wiki page for dovecot, but it might be outdated.
All I have in my conf is ssl_min_protocol - TLSv1.1 and I don't recall ever seeing anyone set a cipher list in dovceot unless it was to try to allow older protocols.
Generally, it is better to exclude the protocols and ciphers you do not want. There is no reason to restrict yourself to a specific list of cyphers which is likely to exclude future cyphers when you forget to update it.
Certainly the recommendations made for postfix (which I am more familiar with) are unnecessary)
-- An edge witch is one who makes her living on the edges, in that moment when boundary conditions apply - between life and death, light and dark, good and evil and, most dangerously of all, today and tomorrow.