[Dovecot] patch for ssl_prefer_server_ciphers in dovecot 2.1
Reindl Harald
h.reindl at thelounge.net
Fri Oct 18 15:00:26 EEST 2013
Am 18.10.2013 13:57, schrieb Adi Kriegisch:
> I tried to do a backport of 'ssl_prefer_server_ciphers'
> (http://hg.dovecot.org/dovecot-2.2/rev/897484f45a87/) to Dovecot 2.1
> (namely the Debian version of Dovecot) and wanted to ask if there is any
> chance to integrate this feature into Dovecot 2.1 'upstream' as well.
> As the code structure changed quite a bit, I am not sure if my patch is
> complete. I tested it with pop3s and imaps in my test environment and it
> works just as expected and seemed to not have any unwanted effects.
> (Dovecot code is probably the most beautiful and easy to read C code I've
> seen, but there might also be some pitfalls I missed.)
>
> best regards,
> Adi Kriegisch
>
> PS: I need that feature to enable PFS while allowing Outlook to still
> connect and the others not to fall back to a different cipher; I was
> unable to find a PFS cipher that is supported by Outlook and OpenSSL
ssl_cipher_list =
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SSLv2:@STRENGTH
ssl_prefer_server_ciphers = yes
Outlook, at least on WinXP any version, continues to use RC4 ciphers
but any sane mail client is using PFS ciphers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131018/5af65717/attachment.bin>
More information about the dovecot
mailing list