Re: [Dovecot] How do I make dovecot not use sslv2 for pop?
From: Timo Sirainen tss@iki.fi Subject: Re: [Dovecot] How do I make dovecot not use sslv2 for pop? Message-ID: 1264724551.22202.139.camel@hurina
Anyway.. I guess I should do something about this. Not really sure what, though. Timo,
you can simply stop supporting SSLv2. Nobody really needs security known to be insecure.
-- Andreas Schulze Internetdienste | P532
DATEV eG 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Jörg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen
On 29.1.2010, at 9.23, Andreas Schulze wrote:
From: Timo Sirainen tss@iki.fi Subject: Re: [Dovecot] How do I make dovecot not use sslv2 for pop? Message-ID: 1264724551.22202.139.camel@hurina
Anyway.. I guess I should do something about this. Not really sure what, though. Timo,
you can simply stop supporting SSLv2. Nobody really needs security known to be insecure.
Yeah. I'm actually more wondering about SSLv3+TLSv1 vs. TLSv1. Apparently disabling SSLv3 isn't a good idea yet? But still, maybe there should be a configuration option for that.. Or maybe not.
On 29/01/2010 6:56 PM, Timo Sirainen wrote:
On 29.1.2010, at 9.23, Andreas Schulze wrote:
From: Timo Sirainentss@iki.fi Subject: Re: [Dovecot] How do I make dovecot not use sslv2 for pop? Message-ID:1264724551.22202.139.camel@hurina
Anyway.. I guess I should do something about this. Not really sure what, though.
Timo,
you can simply stop supporting SSLv2. Nobody really needs security known to be insecure.
Yeah. I'm actually more wondering about SSLv3+TLSv1 vs. TLSv1. Apparently disabling SSLv3 isn't a good idea yet? But still, maybe there should be a configuration option for that.. Or maybe not.
The only SSLv3 connections my server is receiving are from a Blackberry server (hosted, not enterprise). I would be quite happy to disable that and insist folk get iPhones instead ... but the bosses may be unhappy.
I don't have anything ancient like Outlook Express connecting to me - older versions of that probably have a similar problem to Internet Explorer 6. However should at least cope with SSLv3.
Blackberry server is connecting as: "SSLv3 with cipher AES128-SHA (128/128 bits)" (%k in dovecot login_log_format_elements)
Rob.
participants (3)
-
Andreas Schulze
-
Rob Middleton
-
Timo Sirainen