[Dovecot] force ciphers order for clients
Robert Schetterer
rs at sys4.de
Wed Aug 14 19:54:40 EEST 2013
Hi Timo,
reading this
http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/
it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use
with apple mail
( if no ECDHE is possible ,by missing openssl 1.x etc,
seems that apple mail tries ECDHE first if fails its going to use
RSA-AES128-SHA )
force soltution as tried
ssl_cipher_list =
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4
so far so good , it worked nice with recent thunderbird too
but it fails with outlook 2003 pop3s / win7
so i thought about using an order like this
ssl_cipher_list =
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL
does that makes sense ? ( using dove 2.1.x / openssl 0.9x )
Best Regards
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the dovecot
mailing list