Am 14.08.2013 18:54, schrieb Robert Schetterer: > http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/ > > it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use > with apple mail > > > ( if no ECDHE is possible ,by missing openssl 1.x etc, > seems that apple mail tries ECDHE first if fails its going to use > RSA-AES128-SHA ) > > force soltution as tried > > ssl_cipher_list = > DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4 > > so far so good , it worked nice with recent thunderbird too > but it fails with outlook 2003 pop3s / win7 > > so i thought about using an order like this > > ssl_cipher_list = > DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_cipher_list = EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2 is what is *higly* recommended after testing webservers by https://www.ssllabs.com/ssltest/ and works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, currently there exists even no way to force web-browsers to FS without open BEAST-attack and i doubt in context mail it does not look much better however, make sure you are using *the latest* dovecot version and at least openssl 1.0.1e thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
signature.asc
Description: OpenPGP digital signature
