[Dovecot] dovecot and PFS
Emmanuel Dreyfus
manu at netbsd.org
Tue Sep 10 10:54:50 EEST 2013
Hi
Is there known advices on how to favor PFS with dovecot?
In Apache, I use the following directives, with cause all modern
browsers to adopt 256 bit PFS ciphers, while keeping backward
compatibility with older browsers and avoiding BEAST attack:
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10
-SHA1:RC4:!MD5:!DES:!aNULL:!eNULL
dovecot does not care about BEAST, since attacker cannot inject
trafic. Therefore the cipher list get simplier in dovecot.conf:
ssl_cipher_list = ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:!MD5:!DES:!aNULL
:!eNULL
But that list is good for browsers. I am not aware of documentation
about what ciphers are advertised by various mail client. How can I
know if that setting has some success pushing PFS? How can I
discover which clients fail to negociate PFS ciphers?
--
Emmanuel Dreyfus
manu at netbsd.org
More information about the dovecot
mailing list