dovecot on wheezy, best ssl configuration ?

Philipp Resch philipp at devh.de
Fri Jan 9 08:06:16 UTC 2015


Am 09.01.2015 um 08:58 schrieb ml at ruggedinbox.com:
> Hi thanks for your help!
> Trying to set your same parameters, when restarting dovecot, gives the
> error:
> 
> doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf
> line 136: Unknown setting: ssl_prefer_server_ciphers
> doveconf: Error: managesieve-login: dump-capability process returned 89
> doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf
> line 136: Unknown setting: ssl_prefer_server_ciphers
> [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error
> in configuration file /etc/dovecot/dovecot.conf line 136: Unknown
> setting: ssl_prefer_server_ciphers
> doveconf: Error: managesieve-login: dump-capability process returned 89
> doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf
> line 136: Unknown setting: ssl_prefer_server_ciphers
> 
> and if trying to comment the line with 'ssl_prefer_server_ciphers',
> dovecot restarts fine but same problem as before, claws-mail can't connect.
> 
> dovecot version is 2.1.7
> 
> any hints ?
> 
> 
> On 2015-01-09 07:50, Philipp Resch wrote:
>> Am 09.01.2015 um 08:07 schrieb ml at ruggedinbox.com:
>>> Hi all, when hardening dovecot against the POODLE vulnerability,
>>> we followed the advise to disable SSL2 and SSL3
>>> but this is giving problems with some email clients (claws-mail).
>>>
>>> ssl_protocols = !SSLv2 !SSLv3
>>>
>>> results in the following error:
>>>
>>> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>,
>>> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
>>> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
>>> session=<2C8jBjIMmQBVGNd1>
>>>
>>> Our smtp server is postfix, can you please suggest a better
>>> 'ssl_protocols' and 'ssl_cipher_list' configuration ?
>>> We are running Debian 7 Wheezy
>>>
>>> Thank you,
>>> RuggedInbox team
>>
>> Hi,
>>
>> this is my config on Wheezy. I don't know if it's 'best', but it works
>> for us:
>>
>> # SSL protocols to use
>> ssl_protocols = !SSLv2 !SSLv3
>> # Prefer the server's order of ciphers over client's.
>> ssl_prefer_server_ciphers = yes
>> ssl_cipher_list =
>> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2
>>
>>
>>
>> Cheers,
>> Philipp

Hi,

yes, the ssl_prefer_server_ciphers setting was introduced in 2.2.x

It seems as if claws mail is preferring SSLv3, have you tried connecting
with another client (e.g. Thunderbird)? If that works you might want to
check with the CM devs...

Cheers,
Philipp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4296 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150109/abaab690/attachment.p7s>


More information about the dovecot mailing list