Re: Recommended Protocols?

10 Nov 2020


      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, 2020-11-10 at 14:05 +0800, Jeremy Ardley wrote:
...
I also use STARTTLS, though I expose that on both IMAP and IMAPS
ports,
which is consistent with a number of major imap providers.
Yeah, the choice to use only STARTTLS over IMAP only (no IMAPS) was
mine. I do force TLS though, generally it makes it easier for me to
handout instructions for people to connect to the server (I host email
for a few different organisations).
...
Selection of ciphers is important. I researched this recently and
use
this stanza in the configuration
ssl = required
ssl_min_protocol = TLSv1.2
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_prefer_server_ciphers = yes
I agree that cipher settings are important, and the only other thing I
am going to say is that compared to your settings mine are severly
stricter (if not anally retentive) :)
...
The defaults in dovecot are shown commented in conf.d/10-ssl.conf.
They
are not best practice for security.
I find that no default setting is "best practice" and that anyone
configuring any kind of service should look at all the configuration
directives and consider what they should be set to - this is why we
have sysadmins, because some has to do more than "apt install" or "wget
foo.sh | sudo ./foo.sh --install".

Nikolai Lusan nikolai@lusan.id.au
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl+qSbUACgkQ4ZaDRV2V
L6TVbA//aXFgdiutnBlNS0oZwFMWqRZAhlBzDC0VvSLhn/i2k5SdilUGnOgxZMoM
iW3/5fQ9gQuqf+SKJ7gse2j/WQnEJyMa1eJNAx4iwoq1MzbofmfEeNDipTkhW/Hq
CecM85OeTG7GcMFkwVVSqdc3y/cJawaSBSJ1gdKiOqVMcH/ea89RSbHnGL1S4PD0
yaJoIJP/LlgM06tc+9BziSTpk1zSmD3extozRyLzLFY1aLUIEbWf7sEZRvo3Pe6u
11STjrUYEDJbeiEkTHK8i4HhVH9dw8eoDGEqXJCzKOntdeGv7V6Kanqb9y1xmmfb
OlVHb543wYJJbT6kqqTsttmLiU2qo8lj1+kIAIu6Ydq7ANZksQ7bcFF/wEBcd8KF
LO8RFDWlVgLk1CKNB6qgV5sWLcgEbrhG4AmPA0HyPDnJxAE8DMN1O1a8J+MSzFF8
XBmKIlTd51H/dJs+FYeek4C6O6ayNNr1uRzOuxV2gJ4zG3Dk0j5cBi0S4qK+W3dz
GFvP5WFNvEWS3ZtQPqS5Z7/IUAiK2zT4ZoltLW7xhV4gXfnwwp0bNdWV5JZ6Tc7c
M0epXpU1r6Hf62utJik6ewpNjpR9E4/F7KIvnCahX57Zb88Zl0UgS9euHwtR6M9H
IBtkPa042DJNsF7gt/NwNK2jRoXBK0qg00Mrn6mKdqKEPXK6nQ0=
=zNl0
-----END PGP SIGNATURE-----