Per-protocol ssl_protocols settings
Hi all, I have a question regarding the "ssl_protocols" parameter.
I understand that editing the 10-ssl.conf file I can set the ssl_protocols variable as required. At the same time, I can edit a single protocol file (eg: 20-pop3.conf) to set the ssl_protocols for a specific protocol/listener.
I wander if (and how) I can create a different listener for another POP3 instance, for example listening on port 10995, and using another ssl_protocol setting.
In short, I would like to create a different, firewalled pop3s service enabling the SSLv3 stack, while disabling it at system-wide settings.
I am able to successfully create a new listener for port 10995, but I don't understand how to associate the ssl_protocols value to the new listener. Simply putting the ssl_protocols value into the listener section give me a configuration error.
Thank you all.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8
Hi all, anyone with some ideas?
Thanks.
Il 2015-02-02 23:08 Gionatan Danti ha scritto:
Hi all, I have a question regarding the "ssl_protocols" parameter.
I understand that editing the 10-ssl.conf file I can set the ssl_protocols variable as required. At the same time, I can edit a single protocol file (eg: 20-pop3.conf) to set the ssl_protocols for a specific protocol/listener.
I wander if (and how) I can create a different listener for another POP3 instance, for example listening on port 10995, and using another ssl_protocol setting.
In short, I would like to create a different, firewalled pop3s service enabling the SSLv3 stack, while disabling it at system-wide settings.
I am able to successfully create a new listener for port 10995, but I don't understand how to associate the ssl_protocols value to the new listener. Simply putting the ssl_protocols value into the listener section give me a configuration error.
Thank you all.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8
Sorry for the bump...
Anyone know if it is possible to have multiple protocols instances with different ssl_protocols settings?
Regards.
On 07/02/15 00:03, Gionatan Danti wrote:
Hi all, anyone with some ideas?
Thanks.
Il 2015-02-02 23:08 Gionatan Danti ha scritto:
Hi all, I have a question regarding the "ssl_protocols" parameter.
I understand that editing the 10-ssl.conf file I can set the ssl_protocols variable as required. At the same time, I can edit a single protocol file (eg: 20-pop3.conf) to set the ssl_protocols for a specific protocol/listener.
I wander if (and how) I can create a different listener for another POP3 instance, for example listening on port 10995, and using another ssl_protocol setting.
In short, I would like to create a different, firewalled pop3s service enabling the SSLv3 stack, while disabling it at system-wide settings.
I am able to successfully create a new listener for port 10995, but I don't understand how to associate the ssl_protocols value to the new listener. Simply putting the ssl_protocols value into the listener section give me a configuration error.
Thank you all.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8
I performed a quick test and it seems that the "ssl_protocols" setting is per-IP only and shared among all listeners defined for that address. As you want this setting to be active for one specific "inet_listener" only (with port 10995 in your case), dovecot would have to permit the "ssl_protocols" directive in that scope, which it doesn’t.
As a workaround I suggest using a special, unused loopback address to which you can apply the distinct SSL settings. You could use iptables/NAT to forward all incoming traffic originating from your external IP on port 10995 to 127.0.0.2:10995 for example. Then configure the POP3 service with an "inet_listener" for 127.0.0.2:10995 and use the "local" directive to set up the SSL protocols without touching global settings:
local 127.0.0.2 { ssl_protocols = !SSLv2 }
Regards, Felix Zandanel
Am 09.02.2015 um 11:33 schrieb Gionatan Danti g.danti@assyoma.it:
Sorry for the bump...
Anyone know if it is possible to have multiple protocols instances with different ssl_protocols settings?
Regards.
On 07/02/15 00:03, Gionatan Danti wrote:
Hi all, anyone with some ideas?
Thanks.
Il 2015-02-02 23:08 Gionatan Danti ha scritto:
Hi all, I have a question regarding the "ssl_protocols" parameter.
I understand that editing the 10-ssl.conf file I can set the ssl_protocols variable as required. At the same time, I can edit a single protocol file (eg: 20-pop3.conf) to set the ssl_protocols for a specific protocol/listener.
I wander if (and how) I can create a different listener for another POP3 instance, for example listening on port 10995, and using another ssl_protocol setting.
In short, I would like to create a different, firewalled pop3s service enabling the SSLv3 stack, while disabling it at system-wide settings.
I am able to successfully create a new listener for port 10995, but I don't understand how to associate the ssl_protocols value to the new listener. Simply putting the ssl_protocols value into the listener section give me a configuration error.
Thank you all.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8
It is precisely what I need, thank you very much.
As a side note, I did not found any reference to "local" (and "remote") directive on the wiki (albeit man doveconf showed some references).
Where I can find a documentation of all allowed directives?
Thanks again.
Il 2015-02-09 14:54 Felix Zandanel ha scritto:
I performed a quick test and it seems that the "ssl_protocols" setting is per-IP only and shared among all listeners defined for that address. As you want this setting to be active for one specific "inet_listener" only (with port 10995 in your case), dovecot would have to permit the "ssl_protocols" directive in that scope, which it doesn’t.
As a workaround I suggest using a special, unused loopback address to which you can apply the distinct SSL settings. You could use iptables/NAT to forward all incoming traffic originating from your external IP on port 10995 to 127.0.0.2:10995 for example. Then configure the POP3 service with an "inet_listener" for 127.0.0.2:10995 and use the "local" directive to set up the SSL protocols without touching global settings:
local 127.0.0.2 { ssl_protocols = !SSLv2 }
Regards, Felix Zandanel
Am 09.02.2015 um 11:33 schrieb Gionatan Danti g.danti@assyoma.it:
Sorry for the bump...
Anyone know if it is possible to have multiple protocols instances with different ssl_protocols settings?
Regards.
On 07/02/15 00:03, Gionatan Danti wrote:
Hi all, anyone with some ideas?
Thanks.
Il 2015-02-02 23:08 Gionatan Danti ha scritto:
Hi all, I have a question regarding the "ssl_protocols" parameter.
I understand that editing the 10-ssl.conf file I can set the ssl_protocols variable as required. At the same time, I can edit a single protocol file (eg: 20-pop3.conf) to set the ssl_protocols for a specific protocol/listener.
I wander if (and how) I can create a different listener for another POP3 instance, for example listening on port 10995, and using another ssl_protocol setting.
In short, I would like to create a different, firewalled pop3s service enabling the SSLv3 stack, while disabling it at system-wide settings.
I am able to successfully create a new listener for port 10995, but I don't understand how to associate the ssl_protocols value to the new listener. Simply putting the ssl_protocols value into the listener section give me a configuration error.
Thank you all.
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8
-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti@assyoma.it - info@assyoma.it GPG public key ID: FF5F32A8
participants (2)
-
Felix Zandanel
-
Gionatan Danti