<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi Aki,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Where do I get testssh.sl? If the script is of your design could you mail it to me?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Yours</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Stefan</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>Von:</b> Aki Tuomi <aki.tuomi@open-xchange.com><br>
<b>Gesendet:</b> Mittwoch, 14. Juli 2021 19:34<br>
<b>An:</b> Stefan Schumacher <s.schumacher@consulting1x1.com>; dovecot@dovecot.org <dovecot@dovecot.org><br>
<b>Betreff:</b> Re: TLS Security</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText"><br>
> On 14/07/2021 17:55 Stefan Schumacher <s.schumacher@consulting1x1.com> wrote:<br>
> <br>
> <br>
> Hi,<br>
> <br>
> <br>
> I wish to build a new secure email server. It seems I am on the right way – at least I get no more error messages for Postfix – but Dovecot is still making trouble.<br>
> <br>
> <br>
> I am using Dovecot 1:2.3.4.1-5+deb10u6 and I am using ISPconfig 3.25 to do the rough configuring and nano and whats left of my brain to do the finer details. Lets start with what I added to conf.d/10-ssl.conf<br>
> <br>
> <br>
> ssl_cert = </etc/letsencrypt/live/servername/fullchain.pem<br>
> ssl_key = </etc/letsencrypt/live/servername/privkey.pem<br>
> <br>
> <br>
> ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aR$<br>
> ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1<br>
> ssl_min_protocol = TLSv1.2<br>
> <br>
> <br>
> As you can see, I clearly do not want to use TLS before v1.2. I think this is not unreasonable in the year 2021.<br>
> <br>
> <br>
> Now, after the changes I ran Kali (I use it to verify the results of my experiments)<br>
> and - this is a mailing list, so no screenshots:<br>
> It says:<br>
> <br>
> <br>
> SSL/TLS Deprecated TLS v1.0 and TLS v1.1 Detection. I get this for the ports 143, 110, 993 and 995.<br>
> <br>
> <br>
> I thought I had done everything one could to disable old TLS-Versions. What am I doing wrong?<br>
> <br>
> <br>
> Yours sincerely<br>
> Stefan Schumacher<br>
> <br>
><br>
<br>
Hi!<br>
<br>
First of all, 2.3.4.1 is bit old, and has no proper support for TLSv1.3, which is supported better on a later version. Now, I installed 2.3.4.1 from debian 10, and tested with testssl.sh and got<br>
<br>
SSLv2 not offered (OK)<br>
SSLv3 not offered (OK)<br>
TLS 1 not offered<br>
TLS 1.1 not offered<br>
TLS 1.2 offered (OK)<br>
TLS 1.3 offered (OK): final<br>
NPN/SPDY not offered<br>
ALPN/HTTP2 not offered<br>
<br>
TLSv1.2 (no server order, thus listed by strength)<br>
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
<br>
xc028 ECDHE-RSA-AES256-SHA384 ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
<br>
xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
<br>
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
<br>
xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 521 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
<br>
xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 521 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
<br>
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
<br>
xc027 ECDHE-RSA-AES128-SHA256 ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
<br>
xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
<br>
xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 521 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
<br>
xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 521 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
<br>
TLSv1.3 (no server order, thus listed by strength)<br>
x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
<br>
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
<br>
x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
<br>
<br>
I used:<br>
<br>
listen = *<br>
mail_attribute_dict = file:%h/Mail/dovecot-attributes<br>
mail_gid = vmail<br>
mail_home = /home/vmail/%Lu<br>
mail_location = sdbox:~/Mail<br>
mail_uid = vmail<br>
passdb {<br>
args = password=#hidden_use-P_to_show#<br>
driver = static<br>
}<br>
protocols = imap<br>
ssl_cert = <cert.pem<br>
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA<br>
ssl_dh = # hidden, use -P to show it<br>
ssl_key = # hidden, use -P to show it<br>
ssl_min_protocol = TLSv1.2<br>
<br>
Aki<br>
</div>
</span></font></div>
</body>
</html>