Hi Aki,

Where do I get testssh.sl? If the script is of your design could you mail it to me?

Yours
Stefan

Von: Aki Tuomi <aki.tuomi@open-xchange.com>
Gesendet: Mittwoch, 14. Juli 2021 19:34
An: Stefan Schumacher <s.schumacher@consulting1x1.com>; dovecot@dovecot.org <dovecot@dovecot.org>
Betreff: Re: TLS Security
 

> On 14/07/2021 17:55 Stefan Schumacher <s.schumacher@consulting1x1.com> wrote:
>
>
> Hi,
>
>
> I wish to build a new secure email server. It seems I am on the right way – at least I get no more error messages for Postfix – but Dovecot is still making trouble.
>
>
> I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to do the rough configuring and nano and whats left of my brain to do the finer details. Lets start with what I added to conf.d/10-ssl.conf
>
>
> ssl_cert = </etc/letsencrypt/live/servername/fullchain.pem
> ssl_key = </etc/letsencrypt/live/servername/privkey.pem
>
>
> ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
> ssl_min_protocol = TLSv1.2
>
>
> As you can see, I clearly do not want to use TLS before v1.2. I think this is not unreasonable in the year 2021.
>
>
> Now, after the changes I ran Kali (I use it to verify the results of my experiments)
> and - this is a mailing list, so no screenshots:
> It says:
>
>
> SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the ports 143, 110, 993 and 995.
>
>
> I thought I had done everything one could to disable old TLS-Versions. What am I doing wrong?
>
>
> Yours sincerely
> Stefan Schumacher
>
>

Hi!

First of all, 2.3.4.1 is bit old, and has no proper support for TLSv1.3, which is supported better on a later version. Now, I installed 2.3.4.1 from debian 10, and tested with testssl.sh and got

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

TLSv1.2 (no server order, thus listed by strength)
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 521   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             
 xc014   ECDHE-RSA-AES256-SHA              ECDH 521   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 521   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256       
 xc077   ECDHE-RSA-CAMELLIA256-SHA384      ECDH 521   Camellia    256      TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384        
 xc061   ECDHE-ARIA256-GCM-SHA384          ECDH 521   ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384            
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 521   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 521   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             
 xc013   ECDHE-RSA-AES128-SHA              ECDH 521   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                
 xc076   ECDHE-RSA-CAMELLIA128-SHA256      ECDH 521   Camellia    128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256        
 xc060   ECDHE-ARIA128-GCM-SHA256          ECDH 521   ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256            
TLSv1.3 (no server order, thus listed by strength)
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                            
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                      
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256       

I used:

listen = *
mail_attribute_dict = file:%h/Mail/dovecot-attributes
mail_gid = vmail
mail_home = /home/vmail/%Lu
mail_location = sdbox:~/Mail
mail_uid = vmail
passdb {
  args = password=#hidden_use-P_to_show#
  driver = static
}
protocols = imap
ssl_cert = <cert.pem
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2

Aki