Hi,

what are your settings?

Mine are below and they work just fine:

ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SS Lv2:!SSLv3

Thanks and regards

Goetz R. Schultz

On 04/01/18 18:56, Jan Vejvalka wrote:

Hi *,

The change in default SSL settings between 2.2 and 2.3 cut off a few clients; Microsoft-hosted Exchange (?) being one of them:

Jan  4 11:02:56 kremail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=40.101.4.hisip, lip=myip, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<8SGob/BhTdcoZQS1>

Explicitly setting ssl_cipher_list to the old defaults helped: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

Does someone have an idea what to recommend to the poor user or should I accept that I stay with the old defaults ? The guy is cooperative, so we can find out which of the !'s in the new defaults actually breaks the connection... if you think it's worth.

Thanks for your help,

Jan