dovecot on wheezy, best ssl configuration ?

ml at ruggedinbox.com ml at ruggedinbox.com
Fri Jan 9 07:44:55 UTC 2015


Hi thanks for your help,
follows the doveconf -n output:


# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-042stab094.7 x86_64 Debian 7.7 simfs
auth_mechanisms = plain login
auth_verbose = yes
debug_log_path = /var/log/dovecot/debug.log
default_client_limit = 8192
default_process_limit = 2048
director_username_hash = %Lu
dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -U
first_valid_gid = 5000
first_valid_uid = 5000
imap_id_send = name *
last_valid_gid = 5000
last_valid_uid = 5000
login_greeting = Welcome to ruggedinbox.com
mail_gid = vmail
mail_location = 
maildir:/var/vmail/%d/%n/Maildir:INDEX=/var/vmail/%d/%n/Maildir/indexes
mail_max_userip_connections = 25
mail_privileged_group = vmail
mail_shared_explicit_inbox = no
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave
passdb {
   args = /etc/dovecot/mysql.conf
   driver = sql
}
postmaster_address = postmaster at ruggedinbox.com
protocols = imap pop3 sieve
replication_full_sync_interval = 1 days
service auth {
   client_limit = 0
   drop_priv_before_exec = no
   executable = auth
   idle_kill = 0
   process_limit = 1
   process_min_avail = 0
   service_count = 0
   unix_listener /var/spool/postfix/private/auth {
     group = postfix
     mode = 0660
     user = postfix
   }
   unix_listener auth-client {
     mode = 0600
   }
   unix_listener auth-login {
     mode = 0600
     user = $default_internal_user
   }
   unix_listener auth-master {
     mode = 0600
   }
   unix_listener auth-userdb {
     mode = 0666
     user = $default_internal_user
   }
   unix_listener login/login {
     mode = 0666
   }
   user = $default_internal_user
   vsz_limit = 128 M
}
service imap-login {
   chroot = login
   client_limit = 0
   drop_priv_before_exec = no
   executable = imap-login
   idle_kill = 0
   inet_listener imap {
     port = 143
     ssl = no
   }
   inet_listener imaps {
     port = 993
     ssl = yes
   }
   process_limit = 0
   process_min_avail = 0
   protocol = imap
   service_count = 1
   type = login
   user = $default_login_user
   vsz_limit = 128 M
}
service imap {
   client_limit = 1
   drop_priv_before_exec = no
   executable = imap
   idle_kill = 0
   process_limit = 1024
   process_min_avail = 0
   protocol = imap
   service_count = 1
   unix_listener login/imap {
     group =
     mode = 0666
     user =
   }
   vsz_limit = 128 M
}
service lmtp {
   client_limit = 1
   drop_priv_before_exec = no
   executable = lmtp
   idle_kill = 0
   process_limit = 0
   process_min_avail = 0
   protocol = lmtp
   service_count = 0
   unix_listener lmtp {
     mode = 0666
   }
   vsz_limit = 128 M
}
service pop3-login {
   chroot = login
   client_limit = 0
   drop_priv_before_exec = no
   executable = pop3-login
   idle_kill = 0
   inet_listener pop3 {
     port = 110
     ssl = no
   }
   inet_listener pop3s {
     port = 995
     ssl = yes
   }
   process_limit = 0
   process_min_avail = 0
   protocol = pop3
   service_count = 1
   type = login
   user = $default_login_user
   vsz_limit = 128 M
}
service pop3 {
   client_limit = 1
   drop_priv_before_exec = no
   executable = pop3
   idle_kill = 0
   process_limit = 1024
   process_min_avail = 0
   protocol = pop3
   service_count = 1
   unix_listener login/pop3 {
     mode = 0666
   }
   vsz_limit = 128 M
}
shutdown_clients = no
ssl_cert = </etc/ssl2/certs/postfix.pem
ssl_key = </etc/ssl2/private/postfix.key
ssl_protocols = !SSLv2 !SSLv3
userdb {
   args = /etc/dovecot/mysql.conf
   driver = sql
}
protocol lda {
   auth_socket_path = /var/run/dovecot/auth-userdb
   log_path = /var/log/dovecot/dovecot-deliver.log
   mail_plugins = sieve
   postmaster_address = postmaster at ruggedinbox.com
}


Thanks and regards,
RuggedInbox team



On 2015-01-09 07:38, Charles Marcus wrote:
> doveconf -n output?
> 
> On 1/9/2015 2:07 AM, ml at ruggedinbox.com <ml at ruggedinbox.com> wrote:
>> Hi all, when hardening dovecot against the POODLE vulnerability,
>> we followed the advise to disable SSL2 and SSL3
>> but this is giving problems with some email clients (claws-mail).
>> 
>> ssl_protocols = !SSLv2 !SSLv3
>> 
>> results in the following error:
>> 
>> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): 
>> user=<>,
>> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
>> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
>> session=<2C8jBjIMmQBVGNd1>
>> 
>> Our smtp server is postfix, can you please suggest a better
>> 'ssl_protocols' and 'ssl_cipher_list' configuration ?
>> We are running Debian 7 Wheezy
>> 
>> Thank you,
>> RuggedInbox team
>> 



More information about the dovecot mailing list