<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">Interesting.<br><br>Assuming your "Kali" tools are in fact up to date to test with newer protocols TLS1.2+, is Dovecot compiled against a recent version of the OpenSSL or GnuTLS library or whatever it uses to support the newer TLS protocols?<br><br>Definitely an outdated cipher issue, on Postfix as well as Dovecot....<br><br><br><div class="gmail_quote">On July 14, 2021 6:55:19 AM AKDT, Stefan Schumacher <s.schumacher@consulting1x1.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<p style="margin-bottom:0cm;line-height:100%;background:transparent">Hi,</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">I wish to build a new secure email server. It seems I am on the right way – at least I get no more error messages for Postfix – but Dovecot is still making trouble.
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to do the rough configuring and nano and whats left of my brain to do the finer details. Lets start with what I added to
conf.d/10-ssl.conf</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">ssl_cert = </etc/letsencrypt/live/servername/fullchain.pem</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">ssl_key = </etc/letsencrypt/live/servername/privkey.pem</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">ssl_min_protocol = TLSv1.2</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">As you can see, I clearly do not want to use TLS before v1.2. I think this is not unreasonable in the year 2021.
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">Now, after the changes I ran Kali (I use it to verify the results of my experiments)</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">and - this is a mailing list, so no screenshots:</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">It says:</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the ports 143, 110, 993 and 995.</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">I thought I had done everything one could to disable old TLS-Versions. What am I doing wrong?</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent"><br>
</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">Yours sincerely</p>
<p style="margin-bottom:0cm;line-height:100%;background:transparent">Stefan Schumacher</p>
<br>
</div>
</blockquote></div><br>-- <br>Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>