Hi All First the essentials: dovecot --version: 2.2.15 /usr/local/etc/dovecot/conf.d/10-ssl.conf: ssl = required ssl_cert = </usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA ssl_prefer_server_ciphers = yes I would really appreciate it if someone could tell me if my config is super secure? I run the following email clients: K9 on Android 4.4.2 Thunderbird 31.4 Outlook 2010 I'm interested to know if the config I have is secure and that my cipher list is acceptable. I'm also keen to hear thoughts on my config in respect of Forward Secrecy and the SSLv3/POODLE attack. Thanks!
Quoting SW <dovecot at bsdpanic.com>:> Hi All > > First the essentials: > > dovecot --version: 2.2.15 > > /usr/local/etc/dovecot/conf.d/10-ssl.conf: > > ssl = required > > ssl_cert > </usr/local/openssl/certs/mail.domain.com.chained.dovecot.ecdsa.crt > > ssl_key = </usr/local/openssl/certs/mail.domain.com.ecdsa.key > > ssl_protocols = !SSLv2 !SSLv3 > > ssl_cipher_list >HIGH:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA> > ssl_prefer_server_ciphers = yes > > I would really appreciate it if someone could tell me if my config is > super secure? I run the following email clients: > > K9 on Android 4.4.2 > Thunderbird 31.4 > Outlook 2010 > > I'm interested to know if the config I have is secure and that my cipher > list is acceptable. I'm also keen? to hear thoughts on my config in > respect of Forward Secrecy and the SSLv3/POODLE attack. > Thanks!According to https://cipherli.st/ ssl = yes ssl_cert = </etc/dovecot.cert ssl_key = </etc/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 Is what you want.?
According to https://cipherli.st/> ssl = yes > ssl_cert = </etc/dovecot.cert > ssl_key = </etc/dovecot.key > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = AES128+EECDH:AES128+EDH > ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 > Is what you want.Ok, so I have changed my ssl_cipher_list to: ssl_cipher_list = AES128+EECDH:AES128+EDH Before I made this change clients were connecting with the following cipher in the log file: ECDHE-ECDSA-AES256-SHA (256/256 bits) After the change the log now says: ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits) Is this an improvement (or more secure) despite going from 256bits to 128bits? Thanks!