[Dovecot] How to disable SSL and TLSv1.1?

Hans Spaans hans at dailystuff.nl
Thu Sep 12 18:46:33 EEST 2013

Patrick Lists schreef op 2013-09-12 09:23:
> Hi Noel,
> On 09/12/2013 08:54 AM, Noel Butler wrote:
> [snip]
>> I'm always of the belief that if one person wants a feature, they 
>> might
>> be the only vocal person, but they are never really alone, so post 
>> your
>> patch, Timo can only either pull it in, or decline it, as for its 
>> useful
>> for others, only time will tell, but  not even god will help those who
>> use it on a commercial network with paying customers - thats just 
>> plain
>> professional suicide.
> Unless it was clearly stated what the requirements are when they sign
> up. With NIST sleeping at the helm and the NSA having a field day it
> would not surprise me if businesses understand the importance of
> stronger encryption.

Why not turn it around? Why not tell the paying customer he is using an 
unencrypted connection or with options that are insecure. Parse the 
logfiles and make an additional section on the website where he/she can 
see from where he/she had a successful login and the security level? 
Make it red for unencrypted, orange/amber for insecure and green for a 
"secure" connection. Most people like to have everything in the green 
and you give them a choice what to do. Also the cost is almost nothing 
for doing this. You could even make it a service for companies who get a 
weekly/monthly PDF with an overview.

For now only Dovecot tells if it is a TLS-connection or not. Postfix for 
example already tells if it is TLSv1 connection and the cipher. If this 
could be extended then sysadmins have a way to make a decision about the 
path to follow or to advise to management.


More information about the dovecot mailing list