Hi Is there known advices on how to favor PFS with dovecot? In Apache, I use the following directives, with cause all modern browsers to adopt 256 bit PFS ciphers, while keeping backward compatibility with older browsers and avoiding BEAST attack: SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10 -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL dovecot does not care about BEAST, since attacker cannot inject trafic. Therefore the cipher list get simplier in dovecot.conf: ssl_cipher_list = ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:!MD5:!DES:!aNULL :!eNULL But that list is good for browsers. I am not aware of documentation about what ciphers are advertised by various mail client. How can I know if that setting has some success pushing PFS? How can I discover which clients fail to negociate PFS ciphers? -- Emmanuel Dreyfus manu at netbsd.org
Am 10.09.2013 09:54, schrieb Emmanuel Dreyfus:> Hi > > Is there known advices on how to favor PFS with dovecot? > > In Apache, I use the following directives, with cause all modern > browsers to adopt 256 bit PFS ciphers, while keeping backward > compatibility with older browsers and avoiding BEAST attack: > SSLProtocol all -SSLv2 > SSLHonorCipherOrder On > SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10 > -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL > > dovecot does not care about BEAST, since attacker cannot inject > trafic. Therefore the cipher list get simplier in dovecot.conf: > ssl_cipher_list = ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:!MD5:!DES:!aNULL > :!eNULL > > But that list is good for browsers. I am not aware of documentation > about what ciphers are advertised by various mail client. How can I > know if that setting has some success pushing PFS? How can I > discover which clients fail to negociate PFS ciphers? > >to my last tests if you want to stay compatible to most clients use the defaults, if do changes it might fail with old clients, however change might be acceptable with i.e company only mail systems with using only a few known clients. sorry only german http://sys4.de/de/blog/2013/08/15/dovecot-tls-perfect-forward-secrecy/ some advice for apple mail http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/ Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Hi Emmanuel! Am 10.09.2013 09:54, schrieb Emmanuel Dreyfus:> Hi > > Is there known advices on how to favor PFS with dovecot? > > In Apache, I use the following directives, with cause all modern > browsers to adopt 256 bit PFS ciphers, while keeping backward > compatibility with older browsers and avoiding BEAST attack: > SSLProtocol all -SSLv2 > SSLHonorCipherOrder On"SSLHonorCipherOrder" is not yet supported in dovecot. I use the following hack/patch: --- src/login-common/ssl-proxy-openssl.c.orig 2013-08-05 18:08:13.000000000 +0200 +++ src/login-common/ssl-proxy-openssl.c 2013-09-09 18:20:05.184890563 +0200 @@ -1276,6 +1276,7 @@ ssl_server_context_init(const struct log ctx->cipher_list, ssl_last_error()); } SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols)); + SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) { i_fatal("Can't load ssl_cert: %s",> SSLCipherSuite ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:-SSLv3-SHA1:-TLSv10 > -SHA1:RC4:!MD5:!DES:!aNULL:!eNULL > > dovecot does not care about BEAST, since attacker cannot inject > trafic. Therefore the cipher list get simplier in dovecot.conf: > ssl_cipher_list = ECDHE at STRENGTH:ECDH at STRENGTH:DH at STRENGTH:HIGH:!MD5:!DES:!aNULL > :!eNULL > > But that list is good for browsers. I am not aware of documentation > about what ciphers are advertised by various mail client. How can I > know if that setting has some success pushing PFS? How can I > discover which clients fail to negociate PFS ciphers?I have in my dovecot.conf: login_log_format_elements = user=<%u> method=%m rip=%r lip=%l %c %k The "%k" writes the negotiated cipher into the log, see also http://wiki2.dovecot.org/Variables Regards, Frank -- Frank Behrens Osterwieck, Germany