On Tue, May 26, 2015 at 03:37:39PM +0100, Ron Leach wrote: > What SSL protocols do folk on the list recommend should be allowed in > Dovecot these days? (Actually, I mean which protocols really 'must' be > disallowed?)
I use this: ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL ssl_dh_parameters_length = 4096 Kissing SSLv3 good bye did not cause harm to clients. Next to be phased out is 3DES which accounts for 0.25% o the connexions according to the logs. I suspect the offending clients could do better. -- Emmanuel Dreyfus m...@netbsd.org
