Per-protocol ssl_protocols settings

Gionatan Danti g.danti at assyoma.it
Wed Feb 11 18:06:41 UTC 2015 

It is precisely what I need, thank you very much.

As a side note, I did not found any reference to "local" (and "remote") 
directive on the wiki (albeit man doveconf showed some references).

Where I can find a documentation of all allowed directives?

Thanks again.

Il 2015-02-09 14:54 Felix Zandanel ha scritto:
> I performed a quick test and it seems that the "ssl_protocols" setting
> is per-IP only and shared among all listeners defined for that
> address.  As you want this setting to be active for one specific
> "inet_listener" only (with port 10995 in your case), dovecot would
> have to permit the "ssl_protocols" directive in that scope, which it
> doesn’t.
> 
> As a workaround I suggest using a special, unused loopback address to
> which you can apply the distinct SSL settings. You could use
> iptables/NAT to forward all incoming traffic originating from your
> external IP on port 10995 to 127.0.0.2:10995 for example. Then
> configure the POP3 service with an "inet_listener" for 127.0.0.2:10995
> and use the "local" directive to set up the SSL protocols without
> touching global settings:
> 
> local 127.0.0.2 {
>    ssl_protocols = !SSLv2
> }
> 
> Regards,
> Felix Zandanel
> 
> 
>> Am 09.02.2015 um 11:33 schrieb Gionatan Danti <g.danti at assyoma.it>:
>> 
>> Sorry for the bump...
>> 
>> Anyone know if it is possible to have multiple protocols instances 
>> with different ssl_protocols settings?
>> 
>> Regards.
>> 
>> On 07/02/15 00:03, Gionatan Danti wrote:
>>> Hi all,
>>> anyone with some ideas?
>>> 
>>> Thanks.
>>> 
>>> Il 2015-02-02 23:08 Gionatan Danti ha scritto:
>>>> Hi all,
>>>> I have a question regarding the "ssl_protocols" parameter.
>>>> 
>>>> I understand that editing the 10-ssl.conf file I can set the
>>>> ssl_protocols variable as required.
>>>> At the same time, I can edit a single protocol file (eg: 
>>>> 20-pop3.conf)
>>>> to set the ssl_protocols for a specific protocol/listener.
>>>> 
>>>> I wander if (and how) I can create a different listener for another
>>>> POP3 instance, for example listening on port 10995, and using 
>>>> another
>>>> ssl_protocol setting.
>>>> 
>>>> In short, I would like to create a different, firewalled pop3s 
>>>> service
>>>> enabling the SSLv3 stack, while disabling it at system-wide 
>>>> settings.
>>>> 
>>>> I am able to successfully create a new listener for port 10995, but 
>>>> I
>>>> don't understand how to associate the ssl_protocols value to the new
>>>> listener. Simply putting the ssl_protocols value into the listener
>>>> section give me a configuration error.
>>>> 
>>>> Thank you all.
>>> 
>> 
>> --
>> Danti Gionatan
>> Supporto Tecnico
>> Assyoma S.r.l. - www.assyoma.it
>> email: g.danti at assyoma.it - info at assyoma.it
>> GPG public key ID: FF5F32A8

-- 
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti at assyoma.it - info at assyoma.it
GPG public key ID: FF5F32A8

More information about the dovecot mailing list