[Dovecot] TLS/SSL for Win8 & Outlook

Robert Schetterer rs at sys4.de
Sat May 17 17:39:39 UTC 2014 

Am 09.05.2014 10:33, schrieb Robert Schetterer:
> Am 09.05.2014 08:29, schrieb Sebastian Goodrick:
>>>> my speculate was, it leaves too less ciphers left
>> OK, but does the old dovecot/openssl version provide less ciphers than
>> the new install?
> 
> sorry i am short in time
> 
> 
> dovecot hast setup options for ciphers related to your openssl version
> 
> 
> please read
> 
> http://www.michaelboman.org/books/sslscan
> 
> http://www.unixwitch.de/de/sysadmin/tools/imap-mit-ssl-testen
> 
> https://sys4.de/de/blog/2013/08/15/dovecot-tls-perfect-forward-secrecy/
> 
> http://wiki2.dovecot.org/SSL/DovecotConfiguration
> 
> http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html
> 
> 
> 
> 
>  I'm not too familiar with what ciphers ship with
>> OpenSSL in what version. 
> 
> type
> 
> openssl ciphers
> 
> to see ciphers on your server with your openssl version
> 
> and
> 
> openssl s_client -connect imap.example.com:143 -starttls imap
> 
> for general testing
> 
> 
> 
> My naive assumption is, a new version ships
>> with more ciphers, hence this shouldn't be an issue. (Unless there is
>> a new bug in a cipher.)
> 
> there must be matching ciphers
> 
> 
>>
>>> Computer Configuration\Windows Settings\Security Settings\Local 
>>> Policies\Security Options
>> I just learned, there is a tool called gpedit.msc on win8 :)
>> "Use FIPS compliant algorithms for encryption, hashing, and signing"
>> is disabled on my machine. From what I understand this indicates, that
>> it can use more/all available ciphers.
>>
>>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
>>> NT\CurrentVersion\SecEdit\Reg
>> Values\MACHINE/System/CurrentControlSet/Control/Lsa/FIPSAlgorithmPolicy/Enabled
>> I can find this key (it is set to DisplayType=0 and ValueType=4) but I
>> don't understand what I can change there and what this setting
>> indicates. Needless to say that my windows administration knowledge is
>> limited.
> 
> as written i will test it, but it will take time
> 
> 
>>
>> Regards,
>> Sebastian
>>
> 
> Best Regards
> MfG Robert Schetterer
> 


Hi Sebastian, sorry for the delay ,i could not reproduce your problem,
speculate
you have wrong settings in your server/client setup and/or you have
firewall loadbalancers, proxies between server and client which fail
with some ciphers

-----

as written i did a test setup

brand new win 8.1 pro german 32  install
all updates

brand new outlook 2013 german 32 all updates

as vm in vmware player

no other special settings done beside install classicshell and firefox

server ubuntu trusty latest dovecot 2.2.13 patchlevel yesterday

test openssl server

OpenSSL 1.0.1f 6 Jan 2014

openssl s_client -starttls imap -cipher 'ECDH:DH' -connect localhost:143

...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
....

ssl crt from rapidssl

login method ( for testing ) plain login

2014-05-17T19:22:20.901285+02:00 mail dovecot: imap-login: Debug: SSL:
elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
2014-05-17T19:22:20.901800+02:00 mail dovecot: imap-login: Debug: SSL:
elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
2014-05-17T19:22:20.907542+02:00 mail dovecot: auth: Debug: Loading
modules from directory: /usr/lib/dovecot/modules/auth
2014-05-17T19:22:20.908615+02:00 mail dovecot: auth: Debug: Module
loaded: /usr/lib/dovecot/modules/auth/libdriver_mysql.so
2014-05-17T19:22:20.913605+02:00 mail dovecot: auth: Debug: Module
loaded: /usr/lib/dovecot/modules/auth/libdriver_pgsql.so
2014-05-17T19:22:20.913635+02:00 mail dovecot: auth: Debug: Module
loaded: /usr/lib/dovecot/modules/auth/libdriver_sqlite.so
2014-05-17T19:22:20.913770+02:00 mail dovecot: auth: Debug: Read auth
token secret from /var/run/dovecot/auth-token-secret.dat
2014-05-17T19:22:20.914136+02:00 mail dovecot: auth: Debug: passwd-file
/etc/dovecot/users: Read 1 users in 0 secs
2014-05-17T19:22:20.914161+02:00 mail dovecot: auth: Debug: auth client
connected (pid=30359)
2014-05-17T19:22:20.997162+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x10, ret=1: before/accept initialization [1.2.3.4]
2014-05-17T19:22:20.997190+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before/accept initialization [1.2.3.4]
2014-05-17T19:22:20.997210+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: unknown state [1.2.3.4]
2014-05-17T19:22:21.037845+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 read client hello A [1.2.3.4]
2014-05-17T19:22:21.037873+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write server hello A [1.2.3.4]
2014-05-17T19:22:21.038062+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write certificate A [1.2.3.4]
2014-05-17T19:22:21.043376+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write key exchange A [1.2.3.4]
2014-05-17T19:22:21.043395+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write server done A [1.2.3.4]
2014-05-17T19:22:21.043416+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 flush data [1.2.3.4]
2014-05-17T19:22:21.043436+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A [1.2.3.4]
2014-05-17T19:22:21.043447+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv3 read client certificate A [1.2.3.4]
2014-05-17T19:22:21.400072+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 read client key exchange A [1.2.3.4]
2014-05-17T19:22:21.400274+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 read finished A [1.2.3.4]
2014-05-17T19:22:21.400363+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write session ticket A [1.2.3.4]
2014-05-17T19:22:21.400388+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write change cipher spec A [1.2.3.4]
2014-05-17T19:22:21.400451+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 write finished A [1.2.3.4]
2014-05-17T19:22:21.400477+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: SSLv3 flush data [1.2.3.4]
2014-05-17T19:22:21.400497+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x20, ret=1: SSL negotiation finished successfully [1.2.3.4]
2014-05-17T19:22:21.400513+02:00 mail dovecot: imap-login: Debug: SSL:
where=0x2002, ret=1: SSL negotiation finished successfully [1.2.3.4]
2014-05-17T19:22:21.530462+02:00 mail dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=imap#011secured#011session=vqTaxZv5+QBY2Ym1#011lip=88.198.69.105#011rip=1.2.3.4#011lport=143#011rport=34041#011resp=AHVzZXIxAHBhc3M=
(previous base64 data may contain sensitive data)
2014-05-17T19:22:21.530657+02:00 mail dovecot: auth: Debug:
passwd-file(user1,1.2.3.4,<vqTaxZv5+QBY2Ym1>): lookup: user=user1
file=/etc/dovecot/users
2014-05-17T19:22:21.530691+02:00 mail dovecot: auth: Debug: client
passdb out: OK#0111#011user=user1
2014-05-17T19:22:21.532921+02:00 mail dovecot: auth: Debug: master in:
REQUEST#0112559311873#01130359#0111#01105dec904a2d70034ed3208c9f0b9030e#011session_pid=30362#011request_auth_token
2014-05-17T19:22:21.532939+02:00 mail dovecot: auth: Debug:
passwd-file(user1,1.2.3.4,<vqTaxZv5+QBY2Ym1>): lookup: user=user1
file=/etc/dovecot/users
2014-05-17T19:22:21.532954+02:00 mail dovecot: auth: Debug: master
userdb out:
USER#0112559311873#011user1#011mail=maildir:~/maildir#011uid=1001#011gid=1001#011home=/mnt/user1#011auth_token=d2209447f66ca5732086c5dac94732cd613a538d
2014-05-17T19:22:21.533157+02:00 mail dovecot: imap-login: Login:
user=<user1>, method=PLAIN, rip=1.2.3.4, lip=2.3.4.5, mpid=30362, TLS,
session=<vqTaxZv5+QBY2Ym1>

settings mostly default

10-ssl.conf

# DH parameters length to use.
ssl_dh_parameters_length = 1024

# SSL protocols to use
ssl_protocols = !SSLv2

# SSL ciphers to use
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the dovecot mailing list