11 Nov
2020
11 Nov
'20
12:44 a.m.
On Mon, 9 Nov 2020, Raymond Herrera wrote:
I am preparing a new server, with Dovecot 2.2.36 and would like to know the currently recommended protocols. Should I stick to what I have? I would prefer to start with the easiest configuration possible, which I will revise later.
This is the command that I have been using to verify the server's functionality:
% openssl s_client -connect localhost:imaps
Implicit SSL (SSL/TLS) has the slight advantage over STARTTLS as a MITM cannot strip the STARTTLS server banner during the session handshake and downgrade the client to plaintext.
However the most important security consideration are
- set SSL version to at least TLS 1.2 to avoid
known weakness in older versions.
- set cipher list to avoid weak ciphers. One of
many guides
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
- (client) enforce SSL connection (i.e. refuse plaintext
sessions).Joseph Tam jtam.home@gmail.com