Hi thanks for your help, follows the doveconf -n output:

# 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-042stab094.7 x86_64 Debian 7.7 simfs auth_mechanisms = plain login auth_verbose = yes debug_log_path = /var/log/dovecot/debug.log default_client_limit = 8192 default_process_limit = 2048 director_username_hash = %Lu dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -U first_valid_gid = 5000 first_valid_uid = 5000 imap_id_send = name * last_valid_gid = 5000 last_valid_uid = 5000 login_greeting = Welcome to ruggedinbox.com mail_gid = vmail mail_location = maildir:/var/vmail/%d/%n/Maildir:INDEX=/var/vmail/%d/%n/Maildir/indexes mail_max_userip_connections = 25 mail_privileged_group = vmail mail_shared_explicit_inbox = no mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/mysql.conf driver = sql } postmaster_address = postmaster@ruggedinbox.com protocols = imap pop3 sieve replication_full_sync_interval = 1 days service auth { client_limit = 0 drop_priv_before_exec = no executable = auth idle_kill = 0 process_limit = 1 process_min_avail = 0 service_count = 0 unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-client { mode = 0600 } unix_listener auth-login { mode = 0600 user = $default_internal_user } unix_listener auth-master { mode = 0600 } unix_listener auth-userdb { mode = 0666 user = $default_internal_user } unix_listener login/login { mode = 0666 } user = $default_internal_user vsz_limit = 128 M } service imap-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = imap-login idle_kill = 0 inet_listener imap { port = 143 ssl = no } inet_listener imaps { port = 993 ssl = yes } process_limit = 0 process_min_avail = 0 protocol = imap service_count = 1 type = login user = $default_login_user vsz_limit = 128 M } service imap { client_limit = 1 drop_priv_before_exec = no executable = imap idle_kill = 0 process_limit = 1024 process_min_avail = 0 protocol = imap service_count = 1 unix_listener login/imap { group = mode = 0666 user = } vsz_limit = 128 M } service lmtp { client_limit = 1 drop_priv_before_exec = no executable = lmtp idle_kill = 0 process_limit = 0 process_min_avail = 0 protocol = lmtp service_count = 0 unix_listener lmtp { mode = 0666 } vsz_limit = 128 M } service pop3-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = pop3-login idle_kill = 0 inet_listener pop3 { port = 110 ssl = no } inet_listener pop3s { port = 995 ssl = yes } process_limit = 0 process_min_avail = 0 protocol = pop3 service_count = 1 type = login user = $default_login_user vsz_limit = 128 M } service pop3 { client_limit = 1 drop_priv_before_exec = no executable = pop3 idle_kill = 0 process_limit = 1024 process_min_avail = 0 protocol = pop3 service_count = 1 unix_listener login/pop3 { mode = 0666 } vsz_limit = 128 M } shutdown_clients = no ssl_cert =

Thanks and regards, RuggedInbox team

On 2015-01-09 07:38, Charles Marcus wrote:

doveconf -n output?

On 1/9/2015 2:07 AM, ml@ruggedinbox.com ml@ruggedinbox.com wrote:

...

Hi all, when hardening dovecot against the POODLE vulnerability, we followed the advise to disable SSL2 and SSL3 but this is giving problems with some email clients (claws-mail).

ssl_protocols = !SSLv2 !SSLv3

results in the following error:

dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<2C8jBjIMmQBVGNd1>

Our smtp server is postfix, can you please suggest a better 'ssl_protocols' and 'ssl_cipher_list' configuration ? We are running Debian 7 Wheezy

Thank you, RuggedInbox team

Hi thanks for your help! Trying to set your same parameters, when restarting dovecot, gives the error:

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers

and if trying to comment the line with 'ssl_prefer_server_ciphers', dovecot restarts fine but same problem as before, claws-mail can't connect.

dovecot version is 2.1.7

any hints ?

On 2015-01-09 07:50, Philipp Resch wrote:

Am 09.01.2015 um 08:07 schrieb ml@ruggedinbox.com:

...

Hi all, when hardening dovecot against the POODLE vulnerability, we followed the advise to disable SSL2 and SSL3 but this is giving problems with some email clients (claws-mail).

ssl_protocols = !SSLv2 !SSLv3

results in the following error:

dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<2C8jBjIMmQBVGNd1>

Our smtp server is postfix, can you please suggest a better 'ssl_protocols' and 'ssl_cipher_list' configuration ? We are running Debian 7 Wheezy

Thank you, RuggedInbox team

Hi,

this is my config on Wheezy. I don't know if it's 'best', but it works for us:

# SSL protocols to use ssl_protocols = !SSLv2 !SSLv3 # Prefer the server's order of ciphers over client's. ssl_prefer_server_ciphers = yes ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2

Cheers, Philipp

On 1/9/2015 3:06 AM, Philipp Resch philipp@devh.de wrote:

It seems as if claws mail is preferring SSLv3

And since dovecot is really not affected by the poodle vulnerability, if you can't upgrade (I believe 2.2 is in the backports repo?), probably easiest to just reenable SSLv3...