dovecot on wheezy, best ssl configuration ?
ml at ruggedinbox.com
ml at ruggedinbox.com
Fri Jan 9 07:44:55 UTC 2015
Hi thanks for your help,
follows the doveconf -n output:
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-042stab094.7 x86_64 Debian 7.7 simfs
auth_mechanisms = plain login
auth_verbose = yes
debug_log_path = /var/log/dovecot/debug.log
default_client_limit = 8192
default_process_limit = 2048
director_username_hash = %Lu
dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -U
first_valid_gid = 5000
first_valid_uid = 5000
imap_id_send = name *
last_valid_gid = 5000
last_valid_uid = 5000
login_greeting = Welcome to ruggedinbox.com
mail_gid = vmail
mail_location =
maildir:/var/vmail/%d/%n/Maildir:INDEX=/var/vmail/%d/%n/Maildir/indexes
mail_max_userip_connections = 25
mail_privileged_group = vmail
mail_shared_explicit_inbox = no
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /etc/dovecot/mysql.conf
driver = sql
}
postmaster_address = postmaster at ruggedinbox.com
protocols = imap pop3 sieve
replication_full_sync_interval = 1 days
service auth {
client_limit = 0
drop_priv_before_exec = no
executable = auth
idle_kill = 0
process_limit = 1
process_min_avail = 0
service_count = 0
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-client {
mode = 0600
}
unix_listener auth-login {
mode = 0600
user = $default_internal_user
}
unix_listener auth-master {
mode = 0600
}
unix_listener auth-userdb {
mode = 0666
user = $default_internal_user
}
unix_listener login/login {
mode = 0666
}
user = $default_internal_user
vsz_limit = 128 M
}
service imap-login {
chroot = login
client_limit = 0
drop_priv_before_exec = no
executable = imap-login
idle_kill = 0
inet_listener imap {
port = 143
ssl = no
}
inet_listener imaps {
port = 993
ssl = yes
}
process_limit = 0
process_min_avail = 0
protocol = imap
service_count = 1
type = login
user = $default_login_user
vsz_limit = 128 M
}
service imap {
client_limit = 1
drop_priv_before_exec = no
executable = imap
idle_kill = 0
process_limit = 1024
process_min_avail = 0
protocol = imap
service_count = 1
unix_listener login/imap {
group =
mode = 0666
user =
}
vsz_limit = 128 M
}
service lmtp {
client_limit = 1
drop_priv_before_exec = no
executable = lmtp
idle_kill = 0
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
unix_listener lmtp {
mode = 0666
}
vsz_limit = 128 M
}
service pop3-login {
chroot = login
client_limit = 0
drop_priv_before_exec = no
executable = pop3-login
idle_kill = 0
inet_listener pop3 {
port = 110
ssl = no
}
inet_listener pop3s {
port = 995
ssl = yes
}
process_limit = 0
process_min_avail = 0
protocol = pop3
service_count = 1
type = login
user = $default_login_user
vsz_limit = 128 M
}
service pop3 {
client_limit = 1
drop_priv_before_exec = no
executable = pop3
idle_kill = 0
process_limit = 1024
process_min_avail = 0
protocol = pop3
service_count = 1
unix_listener login/pop3 {
mode = 0666
}
vsz_limit = 128 M
}
shutdown_clients = no
ssl_cert = </etc/ssl2/certs/postfix.pem
ssl_key = </etc/ssl2/private/postfix.key
ssl_protocols = !SSLv2 !SSLv3
userdb {
args = /etc/dovecot/mysql.conf
driver = sql
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-userdb
log_path = /var/log/dovecot/dovecot-deliver.log
mail_plugins = sieve
postmaster_address = postmaster at ruggedinbox.com
}
Thanks and regards,
RuggedInbox team
On 2015-01-09 07:38, Charles Marcus wrote:
> doveconf -n output?
>
> On 1/9/2015 2:07 AM, ml at ruggedinbox.com <ml at ruggedinbox.com> wrote:
>> Hi all, when hardening dovecot against the POODLE vulnerability,
>> we followed the advise to disable SSL2 and SSL3
>> but this is giving problems with some email clients (claws-mail).
>>
>> ssl_protocols = !SSLv2 !SSLv3
>>
>> results in the following error:
>>
>> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs):
>> user=<>,
>> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
>> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
>> session=<2C8jBjIMmQBVGNd1>
>>
>> Our smtp server is postfix, can you please suggest a better
>> 'ssl_protocols' and 'ssl_cipher_list' configuration ?
>> We are running Debian 7 Wheezy
>>
>> Thank you,
>> RuggedInbox team
>>
More information about the dovecot
mailing list