[Dovecot] Suggestion for dovecot default SSL configuration...

[Timo Sirainen]

On Mon, 2006-07-24 at 13:48 -0700, Douglas Moore wrote:
> First off, thanks for the effort on this software, it's a world  
> better than the uw-imap that I used to have to deal with...
> 
> This isn't a bug report per se, but rather a response to something  
> that came up during some recent security scans.   Given that SSLv2  
> has it's share of issues, I'd like to suggest that you remove it from  
> the default ciphers supplied with the source distribution.  A  
> simple :!SSLv2 added to the default cipher list would aid in the  
> overall security of the package.

I'm not an expert in SSL, so I'd rather be sure that it's actually more
helpful than harmful. Does something still use SSLv2? If I do the
change, I guess the only thing it does is to break those clients that
still try to use it? Is its security already bad enough that it's just
better to break them?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20060811/fd1b9b3f/attachment-0001.pgp