[Dovecot] dovecot and PFS

Robert Schetterer rs at sys4.de
Wed Sep 11 20:16:02 EEST 2013 

Am 11.09.2013 19:10, schrieb Frank Behrens:
> Hi Emmanuel!
> 
> Am 10.09.2013 09:54, schrieb Emmanuel Dreyfus:
>> Hi
>>
>> Is there known advices on how to favor PFS with dovecot?
>>
>> In Apache, I use the following directives, with cause all modern
>> browsers to adopt 256 bit PFS ciphers, while keeping backward
>> compatibility with older browsers and avoiding BEAST attack:
>> SSLProtocol all -SSLv2
>> SSLHonorCipherOrder On
> 
> "SSLHonorCipherOrder" is not yet supported in dovecot. I use the following hack/patch:
> 
> --- src/login-common/ssl-proxy-openssl.c.orig   2013-08-05 18:08:13.000000000 +0200
> +++ src/login-common/ssl-proxy-openssl.c        2013-09-09 18:20:05.184890563 +0200
> @@ -1276,6 +1276,7 @@ ssl_server_context_init(const struct log
>                         ctx->cipher_list, ssl_last_error());
>         }
>         SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols));
> +       SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
> 
>         if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) {
>                 i_fatal("Can't load ssl_cert: %s",
> 

that looks interesting, whats Timos meaning to that patch ?

> 
> 
>> SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10
>> -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL
>>
>> dovecot does not care about BEAST, since attacker cannot inject
>> trafic. Therefore the cipher list get simplier in dovecot.conf:
>> ssl_cipher_list = ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:!MD5:!DES:!aNULL
>> :!eNULL
>>
>> But that list is good for browsers. I am not aware of documentation
>> about what ciphers are advertised by various mail client. How can I
>> know if that setting has some success pushing PFS? How can I
>> discover which clients fail to negociate PFS ciphers?
> 
> I have in my dovecot.conf:
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c %k
> The "%k" writes the negotiated cipher into the log, see also
> http://wiki2.dovecot.org/Variables
> 
> Regards,
>     Frank
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dovecot mailing list