On Mon, 2006-07-24 at 13:48 -0700, Douglas Moore wrote:

First off, thanks for the effort on this software, it's a world
better than the uw-imap that I used to have to deal with...

This isn't a bug report per se, but rather a response to something
that came up during some recent security scans. Given that SSLv2
has it's share of issues, I'd like to suggest that you remove it from
the default ciphers supplied with the source distribution. A
simple :!SSLv2 added to the default cipher list would aid in the
overall security of the package.

I'm not an expert in SSL, so I'd rather be sure that it's actually more helpful than harmful. Does something still use SSLv2? If I do the change, I guess the only thing it does is to break those clients that still try to use it? Is its security already bad enough that it's just better to break them?