Am 09.01.2015 um 08:58 schrieb ml@ruggedinbox.com:
Hi thanks for your help! Trying to set your same parameters, when restarting dovecot, gives the error:
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers
and if trying to comment the line with 'ssl_prefer_server_ciphers', dovecot restarts fine but same problem as before, claws-mail can't connect.
dovecot version is 2.1.7
any hints ?
On 2015-01-09 07:50, Philipp Resch wrote:
Am 09.01.2015 um 08:07 schrieb ml@ruggedinbox.com:
Hi all, when hardening dovecot against the POODLE vulnerability, we followed the advise to disable SSL2 and SSL3 but this is giving problems with some email clients (claws-mail).
ssl_protocols = !SSLv2 !SSLv3
results in the following error:
dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<2C8jBjIMmQBVGNd1>
Our smtp server is postfix, can you please suggest a better 'ssl_protocols' and 'ssl_cipher_list' configuration ? We are running Debian 7 Wheezy
Thank you, RuggedInbox team
Hi,
this is my config on Wheezy. I don't know if it's 'best', but it works for us:
# SSL protocols to use ssl_protocols = !SSLv2 !SSLv3 # Prefer the server's order of ciphers over client's. ssl_prefer_server_ciphers = yes ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2
Cheers, Philipp
Hi,
yes, the ssl_prefer_server_ciphers setting was introduced in 2.2.x
It seems as if claws mail is preferring SSLv3, have you tried connecting with another client (e.g. Thunderbird)? If that works you might want to check with the CM devs...
Cheers, Philipp