<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>In case it helps, here are the results of testssl.sh:</p>
    <p><br>
    </p>
    <p><tt><a class="moz-txt-link-abbreviated" href="mailto:jervin@MiniUntu:~/testssl/testssl.sh$">jervin@MiniUntu:~/testssl/testssl.sh$</a> ./testssl.sh
        kumo.kites.org:993</tt><tt><br>
      </tt><tt><br>
      </tt><tt>###########################################################</tt><tt><br>
      </tt><tt>    testssl.sh       3.0rc5 from <a class="moz-txt-link-freetext" href="https://testssl.sh/dev/">https://testssl.sh/dev/</a></tt><tt><br>
      </tt><tt>    (35c69be 2019-10-02 17:53:37 -- )</tt><tt><br>
      </tt><tt><br>
      </tt><tt>      This program is free software. Distribution and</tt><tt><br>
      </tt><tt>             modification under GPLv2 permitted.</tt><tt><br>
      </tt><tt>      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!</tt><tt><br>
      </tt><tt><br>
      </tt><tt>       Please file bugs @ <a class="moz-txt-link-freetext" href="https://testssl.sh/bugs/">https://testssl.sh/bugs/</a></tt><tt><br>
      </tt><tt><br>
      </tt><tt>###########################################################</tt><tt><br>
      </tt><tt><br>
      </tt><tt> Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~183 ciphers]</tt><tt><br>
      </tt><tt> on MiniUntu:./bin/openssl.Linux.x86_64</tt><tt><br>
      </tt><tt> (built: "Jan 18 17:12:17 2019", platform:
        "linux-x86_64")</tt><tt><br>
      </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Start 2019-10-11 07:28:20        -->>
        3.222.54.62:993 (kumo.kites.org) <<--</tt><tt><br>
      </tt><tt><br>
      </tt><tt> rDNS (3.222.54.62):     kumo.kites.org.</tt><tt><br>
      </tt><tt> Service detected:       IMAP, thus skipping HTTP
        specific checks</tt><tt><br>
      </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Testing protocols via sockets except NPN+ALPN </tt><tt><br>
      </tt><tt><br>
      </tt><tt> SSLv2      not offered (OK)</tt><tt><br>
      </tt><tt> SSLv3      not offered (OK)</tt><tt><br>
      </tt><tt> TLS 1      offered (deprecated)</tt><tt><br>
      </tt><tt> TLS 1.1    offered (deprecated)</tt><tt><br>
      </tt><tt> TLS 1.2    offered (OK)</tt><tt><br>
      </tt><tt> TLS 1.3    offered (OK): final</tt><tt><br>
      </tt><tt> NPN/SPDY   not offered</tt><tt><br>
      </tt><tt> ALPN/HTTP2 not offered</tt><tt><br>
      </tt><tt><br>
      </tt><tt> Testing cipher categories </tt><tt><br>
      </tt><tt><br>
      </tt><tt> NULL ciphers (no encryption)                  not
        offered (OK)</tt><tt><br>
      </tt><tt> Anonymous NULL Ciphers (no authentication)    not
        offered (OK)</tt><tt><br>
      </tt><tt> Export ciphers (w/o ADH+NULL)                 not
        offered (OK)</tt><tt><br>
      </tt><tt> LOW: 64 Bit + DES, RC[2,4] (w/o export)       not
        offered (OK)</tt><tt><br>
      </tt><tt> Triple DES Ciphers / IDEA                     not
        offered (OK)</tt><tt><br>
      </tt><tt> Average: SEED + 128+256 Bit CBC ciphers       offered</tt><tt><br>
      </tt><tt> Strong encryption (AEAD ciphers)              offered
        (OK)</tt><tt><br>
      </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Testing robust (perfect) forward secrecy, (P)FS --
        omitting Null Authentication/Encryption, 3DES, RC4 </tt><tt><br>
      </tt><tt><br>
      </tt><tt> PFS is offered (OK)          TLS_AES_256_GCM_SHA384
        TLS_CHACHA20_POLY1305_SHA256</tt><tt><br>
      </tt><tt>                              ECDHE-RSA-AES256-GCM-SHA384
        ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA</tt><tt><br>
      </tt><tt>                              DHE-RSA-AES256-GCM-SHA384
        ECDHE-RSA-CHACHA20-POLY1305</tt><tt><br>
      </tt><tt>                              DHE-RSA-CHACHA20-POLY1305
        DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM</tt><tt><br>
      </tt><tt>                              DHE-RSA-AES256-SHA256
        DHE-RSA-AES256-SHA ECDHE-RSA-CAMELLIA256-SHA384</tt><tt><br>
      </tt><tt>                              DHE-RSA-CAMELLIA256-SHA256
        DHE-RSA-CAMELLIA256-SHA</tt><tt><br>
      </tt><tt>                              DHE-RSA-ARIA256-GCM-SHA384
        ECDHE-ARIA256-GCM-SHA384</tt><tt><br>
      </tt><tt>                              TLS_AES_128_GCM_SHA256
        ECDHE-RSA-AES128-GCM-SHA256</tt><tt><br>
      </tt><tt>                              ECDHE-RSA-AES128-SHA256
        ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256</tt><tt><br>
      </tt><tt>                              DHE-RSA-AES128-CCM8
        DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA256</tt><tt><br>
      </tt><tt>                              DHE-RSA-AES128-SHA
        ECDHE-RSA-CAMELLIA128-SHA256</tt><tt><br>
      </tt><tt>                              DHE-RSA-CAMELLIA128-SHA256
        DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA</tt><tt><br>
      </tt><tt>                              DHE-RSA-ARIA128-GCM-SHA256
        ECDHE-ARIA128-GCM-SHA256 </tt><tt><br>
      </tt><tt> Elliptic curves offered:     secp384r1 </tt><tt><br>
      </tt><tt> DH group offered:            Unknown DH group (1024
        bits)</tt><tt><br>
      </tt><tt><br>
      </tt><tt> Testing server preferences </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Has server cipher order?     yes (OK) -- only for <
        TLS 1.3</tt><tt><br>
      </tt><tt> Negotiated protocol          TLSv1.3</tt><tt><br>
      </tt><tt> Negotiated cipher            TLS_AES_256_GCM_SHA384, 384
        bit ECDH (P-384)</tt><tt><br>
      </tt><tt> Cipher order</tt><tt><br>
      </tt><tt>    TLSv1:     ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA
        DHE-RSA-CAMELLIA256-SHA AES256-SHA</tt><tt><br>
      </tt><tt>               CAMELLIA256-SHA ECDHE-RSA-AES128-SHA
        DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA</tt><tt><br>
      </tt><tt>               DHE-RSA-CAMELLIA128-SHA AES128-SHA
        SEED-SHA CAMELLIA128-SHA </tt><tt><br>
      </tt><tt>    TLSv1.1:   ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA
        DHE-RSA-CAMELLIA256-SHA AES256-SHA</tt><tt><br>
      </tt><tt>               CAMELLIA256-SHA ECDHE-RSA-AES128-SHA
        DHE-RSA-AES128-SHA DHE-RSA-SEED-SHA</tt><tt><br>
      </tt><tt>               DHE-RSA-CAMELLIA128-SHA AES128-SHA
        SEED-SHA CAMELLIA128-SHA </tt><tt><br>
      </tt><tt>    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384
        ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA</tt><tt><br>
      </tt><tt>               DHE-RSA-AES256-GCM-SHA384
        ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305</tt><tt><br>
      </tt><tt>               DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM
        DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA</tt><tt><br>
      </tt><tt>               ECDHE-RSA-CAMELLIA256-SHA384
        DHE-RSA-CAMELLIA256-SHA256 DHE-RSA-CAMELLIA256-SHA</tt><tt><br>
      </tt><tt>               AES256-GCM-SHA384 AES256-CCM8 AES256-CCM
        AES256-SHA256 AES256-SHA CAMELLIA256-SHA256</tt><tt><br>
      </tt><tt>               CAMELLIA256-SHA ARIA256-GCM-SHA384
        DHE-RSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384</tt><tt><br>
      </tt><tt>               ECDHE-RSA-AES128-GCM-SHA256
        ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA</tt><tt><br>
      </tt><tt>               DHE-RSA-AES128-GCM-SHA256
        DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM AES128-CCM8 AES128-CCM</tt><tt><br>
      </tt><tt>               DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA
        ECDHE-RSA-CAMELLIA128-SHA256</tt><tt><br>
      </tt><tt>               DHE-RSA-CAMELLIA128-SHA256
        DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA AES128-GCM-SHA256</tt><tt><br>
      </tt><tt>               AES128-SHA256 AES128-SHA
        CAMELLIA128-SHA256 SEED-SHA CAMELLIA128-SHA ARIA128-GCM-SHA256</tt><tt><br>
      </tt><tt>               DHE-RSA-ARIA128-GCM-SHA256
        ECDHE-ARIA128-GCM-SHA256 </tt><tt><br>
      </tt><tt>    TLSv1.3:   TLS_AES_256_GCM_SHA384
        TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 </tt><tt><br>
      </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Testing server defaults (Server Hello) </tt><tt><br>
      </tt><tt><br>
      </tt><tt> TLS extensions (standard)    "renegotiation info/#65281"
        "server name/#0" "EC point formats/#11"</tt><tt><br>
      </tt><tt>                              "session ticket/#35"
        "supported versions/#43" "key share/#51"</tt><tt><br>
      </tt><tt>                              "max fragment length/#1"
        "encrypt-then-mac/#22"</tt><tt><br>
      </tt><tt>                              "extended master
        secret/#23"</tt><tt><br>
      </tt><tt> Session Ticket RFC 5077 hint 7200 seconds, session
        tickets keys seems to be rotated < daily</tt><tt><br>
      </tt><tt> SSL Session ID support       yes</tt><tt><br>
      </tt><tt> Session Resumption           Tickets no, ID: no</tt><tt><br>
      </tt><tt> TLS clock skew               Random values, no
        fingerprinting possible </tt><tt><br>
      </tt><tt> Signature Algorithm          SHA256 with RSA</tt><tt><br>
      </tt><tt> Server key size              RSA 2048 bits</tt><tt><br>
      </tt><tt> Server key usage             Digital Signature, Key
        Encipherment</tt><tt><br>
      </tt><tt> Server extended key usage    TLS Web Server
        Authentication, TLS Web Client Authentication</tt><tt><br>
      </tt><tt> Serial / Fingerprints       
        F451FC38110BD0CC08D03E6975C05AC0 / SHA1
        5EB402C1FB4020C1697E48931F68D11145D48F43</tt><tt><br>
      </tt><tt>                              SHA256
        C37816C37E38DAEF4758EC41EA9F332C08C9310CA63976BD5A294EE7D84B3CF0</tt><tt><br>
      </tt><tt> Common Name (CN)             kumo.kites.org</tt><tt><br>
      </tt><tt> subjectAltName (SAN)         kumo.kites.org
        <a class="moz-txt-link-abbreviated" href="http://www.kumo.kites.org">www.kumo.kites.org</a> </tt><tt><br>
      </tt><tt> Issuer                       Sectigo RSA Domain
        Validation Secure Server CA (Sectigo Limited from GB)</tt><tt><br>
      </tt><tt> Trust (hostname)             Ok via SAN and CN (same w/o
        SNI)</tt><tt><br>
      </tt><tt> Chain of trust               Ok   </tt><tt><br>
      </tt><tt> EV cert (experimental)       no </tt><tt><br>
      </tt><tt> ETS/"eTLS", visibility info  not present</tt><tt><br>
      </tt><tt> Certificate Validity (UTC)   364 >= 60 days
        (2019-10-10 20:00 --> 2020-10-09 19:59)</tt><tt><br>
      </tt><tt> # of certificates provided   6 (certificate list
        ordering problem)</tt><tt><br>
      </tt><tt> Certificate Revocation List  --</tt><tt><br>
      </tt><tt> OCSP URI                     <a class="moz-txt-link-freetext" href="http://ocsp.sectigo.com">http://ocsp.sectigo.com</a></tt><tt><br>
      </tt><tt> OCSP stapling                not offered</tt><tt><br>
      </tt><tt> OCSP must staple extension   --</tt><tt><br>
      </tt><tt> DNS CAA RR (experimental)    not offered</tt><tt><br>
      </tt><tt> Certificate Transparency     yes (certificate extension)</tt><tt><br>
      </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Testing vulnerabilities </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Heartbleed (CVE-2014-0160)                not vulnerable
        (OK), no heartbeat extension</tt><tt><br>
      </tt><tt> CCS (CVE-2014-0224)                       not vulnerable
        (OK)</tt><tt><br>
      </tt><tt> Ticketbleed (CVE-2016-9244), experiment.  --  
        (applicable only for HTTPS)</tt><tt><br>
      </tt><tt> ROBOT                                     not vulnerable
        (OK)</tt><tt><br>
      </tt><tt> Secure Renegotiation (RFC 5746)           supported (OK)</tt><tt><br>
      </tt><tt> Secure Client-Initiated Renegotiation     not vulnerable
        (OK)</tt><tt><br>
      </tt><tt> CRIME, TLS (CVE-2012-4929)                not vulnerable
        (OK) (not using HTTP anyway)</tt><tt><br>
      </tt><tt> POODLE, SSL (CVE-2014-3566)               not vulnerable
        (OK)</tt><tt><br>
      </tt><tt> TLS_FALLBACK_SCSV (RFC 7507)              Downgrade
        attack prevention supported (OK)</tt><tt><br>
      </tt><tt> SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable
        (OK)</tt><tt><br>
      </tt><tt> FREAK (CVE-2015-0204)                     not vulnerable
        (OK)</tt><tt><br>
      </tt><tt> DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable
        on this host and port (OK)</tt><tt><br>
      </tt><tt>                                           make sure you
        don't use this certificate elsewhere with SSLv2 enabled services</tt><tt><br>
      </tt><tt>                                          
<a class="moz-txt-link-freetext" href="https://censys.io/ipv4?q=C37816C37E38DAEF4758EC41EA9F332C08C9310CA63976BD5A294EE7D84B3CF0">https://censys.io/ipv4?q=C37816C37E38DAEF4758EC41EA9F332C08C9310CA63976BD5A294EE7D84B3CF0</a>
        could help you to find out</tt><tt><br>
      </tt><tt> LOGJAM (CVE-2015-4000), experimental      not vulnerable
        (OK): no DH EXPORT ciphers</tt><tt><br>
      </tt><tt>                                           But: Unknown
        DH group (1024 bits)</tt><tt><br>
      </tt><tt> BEAST (CVE-2011-3389)                     TLS1:
        ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA</tt><tt><br>
      </tt><tt>                                                
        DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA</tt><tt><br>
      </tt><tt>                                                
        ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA</tt><tt><br>
      </tt><tt>                                                
        DHE-RSA-SEED-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA</tt><tt><br>
      </tt><tt>                                                 SEED-SHA
        CAMELLIA128-SHA </tt><tt><br>
      </tt><tt>                                           VULNERABLE --
        but also supports higher protocols  TLSv1.1 TLSv1.2 (likely
        mitigated)</tt><tt><br>
      </tt><tt> LUCKY13 (CVE-2013-0169), experimental     potentially
        VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS.
        Check patches</tt><tt><br>
      </tt><tt> RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers
        detected (OK)</tt><tt><br>
      </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Testing 370 ciphers via OpenSSL plus sockets against the
        server, ordered by encryption strength </tt><tt><br>
      </tt><tt><br>
      </tt><tt>Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.  
        Encryption  Bits     Cipher Suite Name (IANA/RFC)</tt><tt><br>
      </tt><tt>-----------------------------------------------------------------------------------------------------------------------------</tt><tt><br>
      </tt><tt>[redacted to reduce size]</tt><tt><br>
      </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Running client simulations via sockets </tt><tt><br>
      </tt><tt><br>
      </tt><tt> Android 8.1 (native)         TLSv1.2
        ECDHE-RSA-AES128-GCM-SHA256, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> Android 9.0 (native)         TLSv1.3
        TLS_AES_128_GCM_SHA256, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> Java 6u45                    TLSv1.0 AES128-SHA, No FS</tt><tt><br>
      </tt><tt> Java 7u25                    TLSv1.0
        ECDHE-RSA-AES128-SHA, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> Java 8u161                   TLSv1.2
        ECDHE-RSA-AES256-SHA384, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> Java 11.0.2 (OpenJDK)        TLSv1.3
        TLS_AES_128_GCM_SHA256, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> Java 12.0.1 (OpenJDK)        TLSv1.3
        TLS_AES_128_GCM_SHA256, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> OpenSSL 1.0.1l               TLSv1.2
        ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> OpenSSL 1.0.2e               TLSv1.2
        ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> OpenSSL 1.1.0j (Debian)      TLSv1.2
        ECDHE-RSA-AES256-GCM-SHA384, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> OpenSSL 1.1.1b (Debian)      TLSv1.3
        TLS_AES_256_GCM_SHA384, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt> Thunderbird (60.6)           TLSv1.3
        TLS_AES_128_GCM_SHA256, 384 bit ECDH (P-384)</tt><tt><br>
      </tt><tt><br>
      </tt><tt> Done 2019-10-11 07:31:08 [ 170s] -->>
        3.222.54.62:993 (kumo.kites.org) <<--</tt><br>
      <br>
      <br>
    </p>
    <div class="moz-cite-prefix">On 10/11/19 7:22 AM, C. James Ervin via
      dovecot wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:651602d4-6b2c-403a-9a9d-d748f9d67576@kites.org">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <p>In setting up my new mail server, I am getting the following in
        the logs:</p>
      <p>Oct 11 07:10:59 kumo dovecot[5704]: imap-login: Disconnected
        (no auth attempts in 0 secs): user=<>, rip=24.53.79.10,
        lip=172.26.12.90, <b>TLS handshaking: SSL_accept() syscall
          failed: Success</b>, session=<B9OokqCUD+UYNU8K><br>
      </p>
      <br>
    </blockquote>
  </body>
</html>