Quoting SW <dove...@bsdpanic.com>:
Hi All
First the essentials:
dovecot --version: 2.2.15
/usr/local/etc/dovecot/conf.d/10-ssl.conf:
ssl = required
ssl_cert =
</usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt
ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list =
HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA
ssl_prefer_server_ciphers = yes
I would really appreciate it if someone could tell me if my config is
super secure? I run the following email clients:
K9 on Android 4.4.2
Thunderbird 31.4
Outlook 2010
I'm interested to know if the config I have is secure and that my cipher
list is acceptable. I'm also keen to hear thoughts on my config in
respect of Forward Secrecy and the SSLv3/POODLE attack.
Thanks!
According to https://cipherli.st/
ssl = yes
ssl_cert = </etc/dovecot.cert
ssl_key = </etc/dovecot.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6
Is what you want.
