Gracias Alberto. Now it's solved (it has been a little bit tricky). My final config:
* /etc/imapd.conf tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH tls_versions: tls1_0 tls1_1 tls1_2 tls1_3 * /etc/ssl/openssl.cnf MinProtocol = TLSv1.0 CipherString = DEFAULT@SECLEVEL=2 Still don't know how to fix the "Has server cipher order? no (NOT ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh). Cheers, -r El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribió: > Hi, > > It's probably due to new defaults in libssl. > Try adding: > MinProtocol = None > CipherString = DEFAULT > To: > /etc/ssl/openssl.cnf > > Regards, > > Alberto > > On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez wrote: >> Hi, >> >> I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus >> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know >> they're not recommended but I need them for older clients). I tried >> several combinations of tls_ciphers and tls_versions in /etc/imapd.conf >> (even very permisive combinations) with no success. >> >> Any idea what's happening? >> >> I'm not sure whether it's really a Cyrus issue or some other kind of >> hardening feature in Buster. In that last regard, I also modified >> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although >> I think this setting is only for client programs like Curl. But seeing >> that config I tend to think that Buster may have other tweaks against >> older protocols like TLSv1.{0,1} and one of them may be impacting my setup. >> >> Cheers, >> >> -r >>
