dovecot on wheezy, best ssl configuration ?

Philipp Resch philipp at devh.de
Fri Jan 9 07:50:12 UTC 2015


Am 09.01.2015 um 08:07 schrieb ml at ruggedinbox.com:
> Hi all, when hardening dovecot against the POODLE vulnerability,
> we followed the advise to disable SSL2 and SSL3
> but this is giving problems with some email clients (claws-mail).
> 
> ssl_protocols = !SSLv2 !SSLv3
> 
> results in the following error:
> 
> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>,
> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
> session=<2C8jBjIMmQBVGNd1>
> 
> Our smtp server is postfix, can you please suggest a better
> 'ssl_protocols' and 'ssl_cipher_list' configuration ?
> We are running Debian 7 Wheezy
> 
> Thank you,
> RuggedInbox team

Hi,

this is my config on Wheezy. I don't know if it's 'best', but it works
for us:

# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2


Cheers,
Philipp



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4296 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150109/47e1bd77/attachment-0001.p7s>


More information about the dovecot mailing list