dovecot on wheezy, best ssl configuration ?

ml at ruggedinbox.com ml at ruggedinbox.com
Fri Jan 9 07:58:22 UTC 2015 

Hi thanks for your help!
Trying to set your same parameters, when restarting dovecot, gives the 
error:

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf 
line 136: Unknown setting: ssl_prefer_server_ciphers
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf 
line 136: Unknown setting: ssl_prefer_server_ciphers
[....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error 
in configuration file /etc/dovecot/dovecot.conf line 136: Unknown 
setting: ssl_prefer_server_ciphers
doveconf: Error: managesieve-login: dump-capability process returned 89
doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf 
line 136: Unknown setting: ssl_prefer_server_ciphers

and if trying to comment the line with 'ssl_prefer_server_ciphers', 
dovecot restarts fine but same problem as before, claws-mail can't 
connect.

dovecot version is 2.1.7

any hints ?


On 2015-01-09 07:50, Philipp Resch wrote:
> Am 09.01.2015 um 08:07 schrieb ml at ruggedinbox.com:
>> Hi all, when hardening dovecot against the POODLE vulnerability,
>> we followed the advise to disable SSL2 and SSL3
>> but this is giving problems with some email clients (claws-mail).
>> 
>> ssl_protocols = !SSLv2 !SSLv3
>> 
>> results in the following error:
>> 
>> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): 
>> user=<>,
>> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
>> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
>> session=<2C8jBjIMmQBVGNd1>
>> 
>> Our smtp server is postfix, can you please suggest a better
>> 'ssl_protocols' and 'ssl_cipher_list' configuration ?
>> We are running Debian 7 Wheezy
>> 
>> Thank you,
>> RuggedInbox team
> 
> Hi,
> 
> this is my config on Wheezy. I don't know if it's 'best', but it works
> for us:
> 
> # SSL protocols to use
> ssl_protocols = !SSLv2 !SSLv3
> # Prefer the server's order of ciphers over client's.
> ssl_prefer_server_ciphers = yes
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2
> 
> 
> Cheers,
> Philipp

More information about the dovecot mailing list