[Dovecot] force ciphers order for clients

[Robert Schetterer]

Am 14.08.2013 19:03, schrieb Reindl Harald:
> 
> 
> Am 14.08.2013 18:54, schrieb Robert Schetterer:
>> http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/
>>
>> it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use
>> with apple mail
>>
>>
>> ( if no ECDHE is possible ,by missing openssl 1.x etc,
>> seems that apple mail tries ECDHE first if fails its going to use
>> RSA-AES128-SHA )
>>
>> force soltution as tried
>>
>> ssl_cipher_list =
>> DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!SSLv2:!RC4
>>
>> so far so good , it worked nice with recent thunderbird too
>> but it fails with outlook 2003 pop3s / win7
>>
>> so i thought about using an order like this
>>
>> ssl_cipher_list =
>> DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL
> 
> ssl_cipher_list =
> EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
> 
> is what is *higly* recommended after testing webservers by https://www.ssllabs.com/ssltest/ and
> works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, currently

hm ,do you have the exact url for test results with mail clients ?

> there exists even no way to force web-browsers to FS without open BEAST-attack and
> i doubt in context mail it does not look much better


> 
> however, make sure you are using *the latest* dovecot version and at least openssl 1.0.1e
> thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
> 

thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option
at my setup lucid ubuntu yet







Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein