[Dovecot] force ciphers order for clients

Reindl Harald h.reindl at thelounge.net
Wed Aug 14 21:54:05 EEST 2013 

Am 14.08.2013 20:42, schrieb Robert Schetterer:
> Am 14.08.2013 19:03, schrieb Reindl Harald:
>> ssl_cipher_list =
>> EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
>>
>> is what is *higly* recommended after testing webservers by https://www.ssllabs.com/ssltest/ and
>> works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, currently
> 
> hm ,do you have the exact url for test results with mail clients ?

no, sadly i can only refer to https://www.ssllabs.com/ssltest/ and
assume that TSL in context mail is not much different, what would
be cool is a compareable test-site because the handshake-examples
which client is using which ciphers in comination with your current
config from ssllabs is wonderful

if someone konws such a tool for mailservers post it here and
on the postfix list with uppercase letters in the subject

>> there exists even no way to force web-browsers to FS without open BEAST-attack and
>> i doubt in context mail it does not look much better
>
>> however, make sure you are using *the latest* dovecot version and at least openssl 1.0.1e
>> thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
> 
> thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option
> at my setup lucid ubuntu yeter

so you can practically forget it

before openssl 1.0.1 TLS 1.2 does not work
confirmed by our upgrade to Fedora 18
all services now support TLS 1.2, with Fedora 17 and openssl 1.0 no way

and for dovecot the releae enote for 2.2.5 is pretty clear
"SSL: Added support for ECDH/ECDHE cipher suite"

-------- Original-Nachricht --------
Betreff: [Dovecot-news] v2.2.5 released
Datum: Mon, 5 Aug 2013 23:03:38 +0300
Von: Timo Sirainen <tss at iki.fi>
Antwort an: dovecot at dovecot.org
An: dovecot-news at dovecot.org <dovecot-news at dovecot.org>, dovecot at dovecot.org List <dovecot at dovecot.org>

http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz
http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz.sig

So, I'm back from the first vacation I've had in about 10 years. (Well, maybe there were a few short ones.) I was
planning on coding it the whole time, but looks like I didn't manage to get anything at all done. Maybe that's a
good vacation?.. Anyway, I've still a few more pending things to look into, but it's been too long since v2.2.4 so
here are the fixes so far.

        + SSL: Added support for ECDH/ECDHE cipher suites (by David Hicks)
        + Added some missing man pages (by Pascal Volk)
        + quota-status: Added quota_status_toolarge setting (by Ulrich Zehl)
        - director: Users near expiration could have been redirected to
          different servers at the same time.
        - pop3: Avoid assert-crash if client disconnects during LIST.
        - mdbox: Corrupted index header still wasn't automatically fixed.
        - dsync: Various fixes to work better with imapc and pop3c storages.
        - ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl
          symbols conflicted with Cyrus SASL library.
        - imap: Various error handling fixes to CATENATE. (Found using
          Apple's stress test script.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130814/15a5f836/attachment-0001.bin>

More information about the dovecot mailing list