Jan, No, I have not.
Viktor suggested my webapp was at fault. I submitted a bug to the middleware provider to see if they can isolate it but if there are other apps with the same issue, it makes me wonder if there's something we can change server side (postfix) to fix it. You've renewed my interest. I'll poke a little more to see if I can figure it out. Thanks, Steffan --------------------------------------------------------------- T E L 6 0 2 . 7 9 3 . 0 0 1 4 | F A X 6 0 2 . 9 7 1 . 1 6 9 4 Steffan A. Cline stef...@execuchoice.net http://www.ExecuChoice.net Phoenix, Arizona USA --------------------------------------------------------------- On 12/7/14, 10:02 AM, "Jan Kowalski" <baken...@cock.li> wrote: >Dnia , o godz. >"Steffan A. Cline" <stef...@hldns.com> napisaĆ(a): > >Hi, > >have you resolved this problem yet? > >I reproduce it when I connect via either imap or smtp from claws-mail >linked against gnutls 3.3.10-1 to a postfix server with dovecot sasl >enabled. > >In my case it is caused by my dovecot configuration, namely: > >ssl_protocols = !SSLv2 !SSLv3 >ssl_cipher_list = HIGH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL > >According to [1]: > >> It seems that following poodle many sites incorrectly banned SSL 3.0 >> record packet versions. Since gnutls uses an SSL 3.0 record to >> advertise TLS 1.2, they are effectively banning it even if it doesn't >> advertise SSL 3.0. > >After removing SSLv3 from ssl_cipher_list the client connected >successfully. I'm not really sure though if it is a proper workaround >or am I opening a possible attack vector; I will be carrying out more >tests next weekend. However, I don't think it's necessary for gnutls to >behave this way, NSS works fine in either configuration. > >[1]: >http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html >
