[Dovecot] How to disable SSL and TLSv1.1?

Reindl Harald h.reindl at thelounge.net
Thu Sep 12 01:52:32 EEST 2013

Am 12.09.2013 00:46, schrieb Darren Pilgrim:
> On 9/9/2013 4:09 PM, Reindl Harald wrote:
>> Am 09.09.2013 22:56, schrieb Darren Pilgrim:
>>> I'm running Dovecot 2.2.5 and want to make it refuse SSLv2, SSLv3 and TLSv1.0.  Clients will opportunistically use
>>> TLS 1.1 and 1.2, but now I want require they do so.  Is it enough to set
>>> ssl_cipher_list = HIGH:!SSLv2:!SSLv3:!TLSv1.0:!aNULL:!MD5
>>> or are there additional settings I need to specify?
>> and what clients do you imagine to connect?
> Thunderbird and a Webmail app

in that special case you may be lucky

>> on most widely used distributions you even have no openssl
>> version supporting TLS 1.2 and so you lock them all out
> OpenSSL 1.0.1 supports TLS 1.2

and that is why i said most widely used does not

RHEL5:     openssl-0.9.8e
RHEL6:     openssl-1.0.0
Fedora 17: openssl-1.0.0k
Fedora 18: openssl-1.0.1e

if you have only a few users where you know OS and mail-client
this is doable, for any server with customers it is a no-go

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130912/60189573/attachment-0001.bin>

More information about the dovecot mailing list