confused with ssl settings and some error - need help

Aki Tuomi aki.tuomi at dovecot.fi
Thu Apr 27 09:25:31 EEST 2017 

> On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis at poliman.pl> wrote:
> 
> 
> Hi,
> To default dovecot.conf file I added (based on found documentation):
> ssl = required
> disable_plaintext_auth = yes     #change default 'no' to 'yes'
> ssl_prefer_server_ciphers = yes
> ssl_options = no_compression
> ssl_dh_parameters_length = 2048
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> 

This looks rather cumbersome way to define ciphers.

> 1. Are these settings good or can be improved?
> 2. Is this line proper:
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1

Well if you only want to support TLSv1.2, which might lead into trouble.

> or maybe should be:
> ssl_protocols = !SSLv2 !SSLv3
> 3. Last thing. I have below errors (they appear in loop in mail.err log
> file):
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac
> #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

This means your client did not support your enabled ciphers.

> 
> When I setup in postfix main.cf file (other lines default):
> tls_ssl_options = no_ticket, no_compression
> tls_preempt_cipherlist = yes
> smtpd_sasl_security_options=noanonymous,noplaintext
> smtpd_sasl_tls_security_options=noanonymous,noplaintext
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't
> know what should be setup
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> 
> Is between dovecot and postfix some communication using above ciphers or
> something that generate that errors in log or maybe some public client try
> connect and can't establish connection?
> 

If you are using LMTP, then some of those settings will cause changes in how LMTP works as well.


> Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl
> 1.0.2k.
> -- 
> 
> *Pozdrawiam / Best Regards*
> *Piotr Bracha*
> 
> 
> 
> 
> *tel. 534 555 877*
> 
> *serwis at poliman.pl <serwis at poliman.pl>*

Aki

More information about the dovecot mailing list