Re: dovecot on wheezy, best ssl configuration ?

Thu, 08 Jan 2015 23:59:33 -0800 

Hi thanks for your help!
Trying to set your same parameters, when restarting dovecot, gives the error: 


doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf 
line 136: Unknown setting: ssl_prefer_server_ciphers

doveconf: Error: managesieve-login: dump-capability process returned 89

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf 
line 136: Unknown setting: ssl_prefer_server_ciphers
[....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error 
in configuration file /etc/dovecot/dovecot.conf line 136: Unknown 
setting: ssl_prefer_server_ciphers

doveconf: Error: managesieve-login: dump-capability process returned 89

doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf 
line 136: Unknown setting: ssl_prefer_server_ciphers



and if trying to comment the line with 'ssl_prefer_server_ciphers', 
dovecot restarts fine but same problem as before, claws-mail can't 
connect.


dovecot version is 2.1.7

any hints ?


On 2015-01-09 07:50, Philipp Resch wrote:

Am 09.01.2015 um 08:07 schrieb m...@ruggedinbox.com:

Hi all, when hardening dovecot against the POODLE vulnerability,
we followed the advise to disable SSL2 and SSL3
but this is giving problems with some email clients (claws-mail).

ssl_protocols = !SSLv2 !SSLv3

results in the following error:


dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): 
user=<>,

rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
session=<2C8jBjIMmQBVGNd1>

Our smtp server is postfix, can you please suggest a better
'ssl_protocols' and 'ssl_cipher_list' configuration ?
We are running Debian 7 Wheezy

Thank you,
RuggedInbox team


Hi,

this is my config on Wheezy. I don't know if it's 'best', but it works
for us:

# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3
# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes
ssl_cipher_list =
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2


Cheers,
Philipp






















					Reply via email to