Am 09.01.2015 um 08:07 schrieb m...@ruggedinbox.com: > Hi all, when hardening dovecot against the POODLE vulnerability, > we followed the advise to disable SSL2 and SSL3 > but this is giving problems with some email clients (claws-mail). > > ssl_protocols = !SSLv2 !SSLv3 > > results in the following error: > > dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, > rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, > session=<2C8jBjIMmQBVGNd1> > > Our smtp server is postfix, can you please suggest a better > 'ssl_protocols' and 'ssl_cipher_list' configuration ? > We are running Debian 7 Wheezy > > Thank you, > RuggedInbox team
Hi, this is my config on Wheezy. I don't know if it's 'best', but it works for us: # SSL protocols to use ssl_protocols = !SSLv2 !SSLv3 # Prefer the server's order of ciphers over client's. ssl_prefer_server_ciphers = yes ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2 Cheers, Philipp
smime.p7s
Description: S/MIME Cryptographic Signature
