Hi all, when hardening dovecot against the POODLE vulnerability, we followed the advise to disable SSL2 and SSL3 but this is giving problems with some email clients (claws-mail). ssl_protocols = !SSLv2 !SSLv3 results in the following error: dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<2C8jBjIMmQBVGNd1> Our smtp server is postfix, can you please suggest a better 'ssl_protocols' and 'ssl_cipher_list' configuration ? We are running Debian 7 Wheezy Thank you, RuggedInbox team
doveconf -n output? On 1/9/2015 2:07 AM, ml at ruggedinbox.com <ml at ruggedinbox.com> wrote:> Hi all, when hardening dovecot against the POODLE vulnerability, > we followed the advise to disable SSL2 and SSL3 > but this is giving problems with some email clients (claws-mail). > > ssl_protocols = !SSLv2 !SSLv3 > > results in the following error: > > dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, > rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, > session=<2C8jBjIMmQBVGNd1> > > Our smtp server is postfix, can you please suggest a better > 'ssl_protocols' and 'ssl_cipher_list' configuration ? > We are running Debian 7 Wheezy > > Thank you, > RuggedInbox team >
Hi thanks for your help, follows the doveconf -n output: # 2.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-042stab094.7 x86_64 Debian 7.7 simfs auth_mechanisms = plain login auth_verbose = yes debug_log_path = /var/log/dovecot/debug.log default_client_limit = 8192 default_process_limit = 2048 director_username_hash = %Lu dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -U first_valid_gid = 5000 first_valid_uid = 5000 imap_id_send = name * last_valid_gid = 5000 last_valid_uid = 5000 login_greeting = Welcome to ruggedinbox.com mail_gid = vmail mail_location = maildir:/var/vmail/%d/%n/Maildir:INDEX=/var/vmail/%d/%n/Maildir/indexes mail_max_userip_connections = 25 mail_privileged_group = vmail mail_shared_explicit_inbox = no mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /etc/dovecot/mysql.conf driver = sql } postmaster_address = postmaster at ruggedinbox.com protocols = imap pop3 sieve replication_full_sync_interval = 1 days service auth { client_limit = 0 drop_priv_before_exec = no executable = auth idle_kill = 0 process_limit = 1 process_min_avail = 0 service_count = 0 unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-client { mode = 0600 } unix_listener auth-login { mode = 0600 user = $default_internal_user } unix_listener auth-master { mode = 0600 } unix_listener auth-userdb { mode = 0666 user = $default_internal_user } unix_listener login/login { mode = 0666 } user = $default_internal_user vsz_limit = 128 M } service imap-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = imap-login idle_kill = 0 inet_listener imap { port = 143 ssl = no } inet_listener imaps { port = 993 ssl = yes } process_limit = 0 process_min_avail = 0 protocol = imap service_count = 1 type = login user = $default_login_user vsz_limit = 128 M } service imap { client_limit = 1 drop_priv_before_exec = no executable = imap idle_kill = 0 process_limit = 1024 process_min_avail = 0 protocol = imap service_count = 1 unix_listener login/imap { group mode = 0666 user } vsz_limit = 128 M } service lmtp { client_limit = 1 drop_priv_before_exec = no executable = lmtp idle_kill = 0 process_limit = 0 process_min_avail = 0 protocol = lmtp service_count = 0 unix_listener lmtp { mode = 0666 } vsz_limit = 128 M } service pop3-login { chroot = login client_limit = 0 drop_priv_before_exec = no executable = pop3-login idle_kill = 0 inet_listener pop3 { port = 110 ssl = no } inet_listener pop3s { port = 995 ssl = yes } process_limit = 0 process_min_avail = 0 protocol = pop3 service_count = 1 type = login user = $default_login_user vsz_limit = 128 M } service pop3 { client_limit = 1 drop_priv_before_exec = no executable = pop3 idle_kill = 0 process_limit = 1024 process_min_avail = 0 protocol = pop3 service_count = 1 unix_listener login/pop3 { mode = 0666 } vsz_limit = 128 M } shutdown_clients = no ssl_cert = </etc/ssl2/certs/postfix.pem ssl_key = </etc/ssl2/private/postfix.key ssl_protocols = !SSLv2 !SSLv3 userdb { args = /etc/dovecot/mysql.conf driver = sql } protocol lda { auth_socket_path = /var/run/dovecot/auth-userdb log_path = /var/log/dovecot/dovecot-deliver.log mail_plugins = sieve postmaster_address = postmaster at ruggedinbox.com } Thanks and regards, RuggedInbox team On 2015-01-09 07:38, Charles Marcus wrote:> doveconf -n output? > > On 1/9/2015 2:07 AM, ml at ruggedinbox.com <ml at ruggedinbox.com> wrote: >> Hi all, when hardening dovecot against the POODLE vulnerability, >> we followed the advise to disable SSL2 and SSL3 >> but this is giving problems with some email clients (claws-mail). >> >> ssl_protocols = !SSLv2 !SSLv3 >> >> results in the following error: >> >> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): >> user=<>, >> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: >> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, >> session=<2C8jBjIMmQBVGNd1> >> >> Our smtp server is postfix, can you please suggest a better >> 'ssl_protocols' and 'ssl_cipher_list' configuration ? >> We are running Debian 7 Wheezy >> >> Thank you, >> RuggedInbox team >>
Am 09.01.2015 um 08:07 schrieb ml at ruggedinbox.com:> Hi all, when hardening dovecot against the POODLE vulnerability, > we followed the advise to disable SSL2 and SSL3 > but this is giving problems with some email clients (claws-mail). > > ssl_protocols = !SSLv2 !SSLv3 > > results in the following error: > > dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, > rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, > session=<2C8jBjIMmQBVGNd1> > > Our smtp server is postfix, can you please suggest a better > 'ssl_protocols' and 'ssl_cipher_list' configuration ? > We are running Debian 7 Wheezy > > Thank you, > RuggedInbox teamHi, this is my config on Wheezy. I don't know if it's 'best', but it works for us: # SSL protocols to use ssl_protocols = !SSLv2 !SSLv3 # Prefer the server's order of ciphers over client's. ssl_prefer_server_ciphers = yes ssl_cipher_list ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2 Cheers, Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4296 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150109/47e1bd77/attachment-0001.p7s>
Hi thanks for your help! Trying to set your same parameters, when restarting dovecot, gives the error: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers and if trying to comment the line with 'ssl_prefer_server_ciphers', dovecot restarts fine but same problem as before, claws-mail can't connect. dovecot version is 2.1.7 any hints ? On 2015-01-09 07:50, Philipp Resch wrote:> Am 09.01.2015 um 08:07 schrieb ml at ruggedinbox.com: >> Hi all, when hardening dovecot against the POODLE vulnerability, >> we followed the advise to disable SSL2 and SSL3 >> but this is giving problems with some email clients (claws-mail). >> >> ssl_protocols = !SSLv2 !SSLv3 >> >> results in the following error: >> >> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): >> user=<>, >> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: >> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, >> session=<2C8jBjIMmQBVGNd1> >> >> Our smtp server is postfix, can you please suggest a better >> 'ssl_protocols' and 'ssl_cipher_list' configuration ? >> We are running Debian 7 Wheezy >> >> Thank you, >> RuggedInbox team > > Hi, > > this is my config on Wheezy. I don't know if it's 'best', but it works > for us: > > # SSL protocols to use > ssl_protocols = !SSLv2 !SSLv3 > # Prefer the server's order of ciphers over client's. > ssl_prefer_server_ciphers = yes > ssl_cipher_list > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2 > > > Cheers, > Philipp
Reasonably Related Threads
- dovecot on wheezy, best ssl configuration ?
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help