TLS Security

justina colmena ~biz justina at colmena.biz
Wed Jul 14 19:50:44 EEST 2021


Interesting.

Assuming your "Kali" tools are in fact up to date to test with newer protocols TLS1.2+, is Dovecot compiled against a recent version of the OpenSSL or GnuTLS library or whatever it uses to support the newer TLS protocols?

Definitely an outdated cipher issue, on Postfix as well as Dovecot....


On July 14, 2021 6:55:19 AM AKDT, Stefan Schumacher <s.schumacher at consulting1x1.com> wrote:
>Hi,
>
>
>I wish to build a new secure email server. It seems I am on the right
>way – at least I get no more error messages for Postfix – but Dovecot
>is still making trouble.
>
>
>I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to
>do the rough configuring and nano and whats left of my brain to do the
>finer details. Lets start with what I added to conf.d/10-ssl.conf
>
>
>ssl_cert = </etc/letsencrypt/live/servername/fullchain.pem
>
>ssl_key = </etc/letsencrypt/live/servername/privkey.pem
>
>
>ssl_cipher_list =
>EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$
>
>ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>
>ssl_min_protocol = TLSv1.2
>
>
>As you can see, I clearly do not want to use TLS before v1.2. I think
>this is not unreasonable in the year 2021.
>
>
>Now, after the changes I ran Kali (I use it to verify the results of my
>experiments)
>
>and - this is a mailing list, so no screenshots:
>
>It says:
>
>
>SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the
>ports 143, 110, 993 and 995.
>
>
>I thought I had done everything one could to disable old TLS-Versions.
>What am I doing wrong?
>
>
>Yours sincerely
>
>Stefan Schumacher

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210714/3c253975/attachment-0001.html>


More information about the dovecot mailing list