openssl s_client -CAfile /etc/pki/tls/certs/cacert.pem -connect redacted.fqdn:143
bit depth of the certificate is 4096. Bit depth of the root ca is 4096, no intermediate ca here.
ssl_cipher_list = PROFILE=SYSTEM
update-crypto-policies --show
DEFAULT:DISABLE-MY-WEAK
the MY-WEAK is:
cipher = -CHACHA20-POLY1305 mac@SSH = -HMAC-SHA1 -UMAC-128 etm@SSH = DISABLE_ETM group = -SECP521R1
But with DEFAULT only it is the same result.
On:
grep -E "params size|TLS protocols" /usr/share/crypto-policies/policies/*.pol
it seems I am fullfilling all the requirements.
Could it be dovecot is not loading the certificate at all?
Marek
Odoslané pomocou bezpečného emailu Proton Mail.
štvrtok 20. novembra 2025, 17:04, pgnd <pgnd@dev-mail.net> napísal/a:
When trying openssl s_client to port 143
show the command you're using
what's the bit-depth of your self-signed cert?
you are forcing
ssl_cipher_list = PROFILE=SYSTEMon that system, what's the output of
update-crypto-policies --show
?
check whatever policy your system's got defined
grep -E "params size|TLS protocols" /usr/share/crypto-policies/policies/*.pol
for minimum param size reqt's