TLS config check
Rick Romero
rick at havokmon.com
Fri Feb 6 21:50:24 UTC 2015
Quoting SW <dovecot at bsdpanic.com>:
> Hi All
>
> First the essentials:
>
> dovecot --version: 2.2.15
>
> /usr/local/etc/dovecot/conf.d/10-ssl.conf:
>
> ssl = required
>
> ssl_cert =
> </usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt
>
> ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key
>
> ssl_protocols = !SSLv2 !SSLv3
>
> ssl_cipher_list =
>
HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA
>
> ssl_prefer_server_ciphers = yes
>
> I would really appreciate it if someone could tell me if my config is
> super secure? I run the following email clients:
>
> K9 on Android 4.4.2
> Thunderbird 31.4
> Outlook 2010
>
> I'm interested to know if the config I have is secure and that my cipher
> list is acceptable. I'm also keen to hear thoughts on my config in
> respect of Forward Secrecy and the SSLv3/POODLE attack.
> Thanks!
According to https://cipherli.st/
ssl = yes
ssl_cert = </etc/dovecot.cert
ssl_key = </etc/dovecot.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6
Is what you want.
More information about the dovecot
mailing list