[Dovecot] SSL with startssl.com certificates

Reindl Harald h.reindl at thelounge.net
Wed Oct 9 22:17:43 EEST 2013


Am 09.10.2013 21:06, schrieb Dan Langille:
> On Oct 6, 2013, at 5:06 PM, Reindl Harald wrote:
>> and mail.app is working even with *self signed* certificates and dovecot 2.2
>> you only have to accept / import the certificate
>> proven by a testserver all day long
> 
> It seems that the test server is not testing this particular situation.

it is not the servers job to accept the cert
the particular server makes it even harder as defaults

ssl_cipher_list =
EECDH-AES256:EECDH-AES:DHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-AES256:EDH-AES128:EDH-AES:EECDH-RC4:DHE-RC4:EDH-RC4:AES256-SHA:AES128-SHA:TLSv1+HIGH:HIGH:RC4+MEDIUM:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2:!PSK:@STRENGTH
ssl_prefer_server_ciphers = yes

>> so i assume the problem exists between chair and keyboard
> 
> Turns out, this assumption is incorrect.
> 
> Just saying

imap-login: OK: imap at testserver.rhsoft.net, 91.118.73.200, CRAM-MD5, TLSv1 with cipher DHE-RSA-AES256-SHA

* dovecot 2.2.6 / openssl-1.0.1e
* self signed certificate
* 4096 Bit (recently changed from 2048 bit and had to be again accepted by the user)
* Apple OSX Mail.app

it's not the job of the server to accept the cert
period


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131009/e3e36f4e/attachment.bin>


More information about the dovecot mailing list