Am 18.10.2013 13:57, schrieb Adi Kriegisch: > I tried to do a backport of 'ssl_prefer_server_ciphers' > (http://hg.dovecot.org/dovecot-2.2/rev/897484f45a87/) to Dovecot 2.1 > (namely the Debian version of Dovecot) and wanted to ask if there is any > chance to integrate this feature into Dovecot 2.1 'upstream' as well. > As the code structure changed quite a bit, I am not sure if my patch is > complete. I tested it with pop3s and imaps in my test environment and it > works just as expected and seemed to not have any unwanted effects. > (Dovecot code is probably the most beautiful and easy to read C code I've > seen, but there might also be some pitfalls I missed.) > > best regards, > Adi Kriegisch > > PS: I need that feature to enable PFS while allowing Outlook to still > connect and the others not to fall back to a different cipher; I was > unable to find a PFS cipher that is supported by Outlook and OpenSSL
ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH ssl_prefer_server_ciphers = yes Outlook, at least on WinXP any version, continues to use RC4 ciphers but any sane mail client is using PFS ciphers
signature.asc
Description: OpenPGP digital signature
