Hi Roman, Did you try with the following in imapd.conf?
tls_prefer_server_ciphers: 1 Regards, Jonas. On Sat, 9 May 2020, 01:22 Roman Medina-Heigl Hernandez, <ro...@rs-labs.com> wrote: > Gracias Alberto. Now it's solved (it has been a little bit tricky). > > My final config: > > * /etc/imapd.conf > tls_ciphers: TLSv1.2:TLSv1:HIGH:!aNULL:@STRENGTH > tls_versions: tls1_0 tls1_1 tls1_2 tls1_3 > > * /etc/ssl/openssl.cnf > MinProtocol = TLSv1.0 > CipherString = DEFAULT@SECLEVEL=2 > > Still don't know how to fix the "Has server cipher order? no (NOT > ok)" warning in testssl.sh (https://github.com/drwetter/testssl.sh). > > > Cheers, > -r > > El 08/05/2020 a las 21:27, Alberto Gonzalez Iniesta escribió: > > Hi, > > > > It's probably due to new defaults in libssl. > > Try adding: > > MinProtocol = None > > CipherString = DEFAULT > > To: > > /etc/ssl/openssl.cnf > > > > Regards, > > > > Alberto > > > > On Fri, May 08, 2020 at 09:07:31PM +0200, Roman Medina-Heigl Hernandez > wrote: > >> Hi, > >> > >> I upgraded from Jessie to Buster (thru Stretch) and noticed that Cyrus > >> (imaps & pop3s) stopped negotiating TLS 1.0 and 1.1 protocols (I know > >> they're not recommended but I need them for older clients). I tried > >> several combinations of tls_ciphers and tls_versions in /etc/imapd.conf > >> (even very permisive combinations) with no success. > >> > >> Any idea what's happening? > >> > >> I'm not sure whether it's really a Cyrus issue or some other kind of > >> hardening feature in Buster. In that last regard, I also modified > >> /etc/ssl/openssl and set MinProtocol = TLSv1.0 (just in case), although > >> I think this setting is only for client programs like Curl. But seeing > >> that config I tend to think that Buster may have other tweaks against > >> older protocols like TLSv1.{0,1} and one of them may be impacting my > setup. > >> > >> Cheers, > >> > >> -r > >> > >
