[Dovecot] force ciphers order for clients

Robert Schetterer Wed, 14 Aug 2013 09:56:08 -0700

Hi Timo,

reading this


http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/

it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use
with apple mail


( if no ECDHE is possible ,by missing openssl 1.x etc,
seems that apple mail tries ECDHE first if fails its going to use
RSA-AES128-SHA )

force soltution as tried

ssl_cipher_list =
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4

so far so good , it worked nice with recent thunderbird too
but it fails with outlook 2003 pop3s / win7

so i thought about using an order like this

ssl_cipher_list =
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL

does that makes sense ? ( using dove 2.1.x / openssl 0.9x )


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

[Dovecot] force ciphers order for clients

Reply via email to