[Dovecot] force ciphers order for clients

Robert Schetterer rs at sys4.de
Wed Aug 14 22:19:22 EEST 2013 

Am 14.08.2013 20:54, schrieb Reindl Harald:
> 
> Am 14.08.2013 20:42, schrieb Robert Schetterer:
>> Am 14.08.2013 19:03, schrieb Reindl Harald:
>>> ssl_cipher_list =
>>> EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
>>>
>>> is what is *higly* recommended after testing webservers by https://www.ssllabs.com/ssltest/ and
>>> works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, currently
>>
>> hm ,do you have the exact url for test results with mail clients ?
> 
> no, sadly i can only refer to https://www.ssllabs.com/ssltest/ and
> assume that TSL in context mail is not much different, what would
> be cool is a compareable test-site because the handshake-examples
> which client is using which ciphers in comination with your current
> config from ssllabs is wonderful

so if there is no proofed real world test client validation
much support may come up with older clients

> 
> if someone konws such a tool for mailservers post it here and
> on the postfix list with uppercase letters in the subject
> 
>>> there exists even no way to force web-browsers to FS without open BEAST-attack and
>>> i doubt in context mail it does not look much better
>>
>>> however, make sure you are using *the latest* dovecot version and at least openssl 1.0.1e
>>> thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
>>
>> thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option
>> at my setup lucid ubuntu yeter
> 
> so you can practically forget it

perhaps true forever, as long old clients are around, cause the server
can only workaround them

> 
> before openssl 1.0.1 TLS 1.2 does not work
> confirmed by our upgrade to Fedora 18
> all services now support TLS 1.2, with Fedora 17 and openssl 1.0 no way
> 
> and for dovecot the releae enote for 2.2.5 is pretty clear
> "SSL: Added support for ECDH/ECDHE cipher suite"

i only goal to force Forward Secrecy

DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA should be enough for that and are
working with 0.9x openssl, true ECDH/ECDHE is much better

question was if

ssl_cipher_list =
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL

does make sense , to prime the anounce of
DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA before other cipers and with
default restrictions



> 
> -------- Original-Nachricht --------
> Betreff: [Dovecot-news] v2.2.5 released
> Datum: Mon, 5 Aug 2013 23:03:38 +0300
> Von: Timo Sirainen <tss at iki.fi>
> Antwort an: dovecot at dovecot.org
> An: dovecot-news at dovecot.org <dovecot-news at dovecot.org>, dovecot at dovecot.org List <dovecot at dovecot.org>
> 
> http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz
> http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz.sig
> 
> So, I'm back from the first vacation I've had in about 10 years. (Well, maybe there were a few short ones.) I was
> planning on coding it the whole time, but looks like I didn't manage to get anything at all done. Maybe that's a
> good vacation?.. Anyway, I've still a few more pending things to look into, but it's been too long since v2.2.4 so
> here are the fixes so far.
> 
>         + SSL: Added support for ECDH/ECDHE cipher suites (by David Hicks)
>         + Added some missing man pages (by Pascal Volk)
>         + quota-status: Added quota_status_toolarge setting (by Ulrich Zehl)
>         - director: Users near expiration could have been redirected to
>           different servers at the same time.
>         - pop3: Avoid assert-crash if client disconnects during LIST.
>         - mdbox: Corrupted index header still wasn't automatically fixed.
>         - dsync: Various fixes to work better with imapc and pop3c storages.
>         - ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl
>           symbols conflicted with Cyrus SASL library.
>         - imap: Various error handling fixes to CATENATE. (Found using
>           Apple's stress test script.)
> 



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dovecot mailing list