Patrick Horgan
2010-Jan-27 00:08 UTC
[Dovecot] How do I make dovecot not use sslv2 for pop?
From nmap:
995/tcp open ssl/pop3 Dovecot pop3d
|_ sslv2: server still supports SSLv2
|_ pop3-capabilities: USER CAPA UIDL PIPELINING RESP-CODES TOP
SASL(PLAIN LOGIN)
pop3 allows SSLv2, imap doesn't. In my dovecot.conf I have:
ssl_cipher_list = ALL:!LOW:!SSLv2
at the global level. Do I need to put it inside the protocol pop3{}
section?
Patrick
Patrick Horgan
2010-Jan-28 23:23 UTC
[Dovecot] How do I make dovecot not use sslv2 for pop?
Patrick Horgan wrote:> From nmap: > > 995/tcp open ssl/pop3 Dovecot pop3d > |_ sslv2: server still supports SSLv2 > |_ pop3-capabilities: USER CAPA UIDL PIPELINING RESP-CODES TOP > SASL(PLAIN LOGIN) > > pop3 allows SSLv2, imap doesn't. In my dovecot.conf I have: > > ssl_cipher_list = ALL:!LOW:!SSLv2 > > at the global level. Do I need to put it inside the protocol pop3{} > section?Just a bump, still have the problem, why would dovecot support sslv2 for pop, but not for imap, when it's configured to not support sslv2 at all? Patrick
Andreas Schulze
2010-Jan-29 07:23 UTC
[Dovecot] How do I make dovecot not use sslv2 for pop?
> From: Timo Sirainen <tss at iki.fi> > Subject: Re: [Dovecot] How do I make dovecot not use sslv2 for pop? > Message-ID: <1264724551.22202.139.camel at hurina> > > Anyway.. I guess I should do something about this. Not really sure what, > though.Timo, you can simply stop supporting SSLv2. Nobody really needs security known to be insecure. -- Andreas Schulze Internetdienste | P532 DATEV eG 90329 N?rnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 N?rnberg, Paumgartnerstr. 6-14 | Registergericht N?rnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider J?rg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen -------------- next part -------------- A non-text attachment was scrubbed... Name: GnuPG-Signatur.asc Type: application/pgp-signature Size: 315 bytes Desc: digitale Signatur dieser Nachricht von Andreas Schulze URL: <http://dovecot.org/pipermail/dovecot/attachments/20100129/fc21eb2b/attachment-0002.bin>
Timo Sirainen
2010-Jan-29 07:56 UTC
[Dovecot] How do I make dovecot not use sslv2 for pop?
On 29.1.2010, at 9.23, Andreas Schulze wrote:>> From: Timo Sirainen <tss at iki.fi> >> Subject: Re: [Dovecot] How do I make dovecot not use sslv2 for pop? >> Message-ID: <1264724551.22202.139.camel at hurina> >> >> Anyway.. I guess I should do something about this. Not really sure what, >> though. > Timo, > > you can simply stop supporting SSLv2. > Nobody really needs security known to be insecure.Yeah. I'm actually more wondering about SSLv3+TLSv1 vs. TLSv1. Apparently disabling SSLv3 isn't a good idea yet? But still, maybe there should be a configuration option for that.. Or maybe not.