Hi, I am Yoshi, Japanese. I used FreeBSD 10.1 Dovecot 2.2.15 I want pop3s, so I made /usr/local/etc/dovecot/local.conf ssl = yes ssl_cert = </usr/local/etc/dovecot/server.pem ssl_key = </usr/local/etc/dovecot/server.key ssl_ca = </usr/local/etc/dovecot/ca.pem ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLV3:!EXP:!aNULL:!RC4 It's work fine. But, change ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!RC4 ( SSLV3 -> SSLv3 ) I did trouble. /var/log/maillog Jan 6 05:41:53 example dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking, session=<5e9 zuO0LVwB+PO8D> Is this bug ? or I did miss setting ? Thank you for reading. Yoshi
Am 05.01.2015 um 21:53 schrieb Yoshito Takeuchi:> I used > > FreeBSD 10.1 > Dovecot 2.2.15 > > I want pop3s, so I made > > /usr/local/etc/dovecot/local.conf > > ssl = yes > ssl_cert = </usr/local/etc/dovecot/server.pem > ssl_key = </usr/local/etc/dovecot/server.key > ssl_ca = </usr/local/etc/dovecot/ca.pem > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLV3:!EXP:!aNULL:!RC4 > > It's work fine. > But, change > > ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!RC4 > > ( SSLV3 -> SSLv3 ) > > I did trouble > > /var/log/maillog > > Jan 6 05:41:53 example dovecot: pop3-login: Disconnected (no auth attempts in 0 > secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS > handshaking, session=<5e9 > zuO0LVwB+PO8D> > > Is this bug ? or I did miss setting?!SSLV3 was wrong and not recognized !SSLv3 is recognized but bullshit since you want to disable SSLv3 but not all ciphers which are still valid for newer TLS versions you do that already correctly with "ssl_protocols" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150105/07550762/attachment.sig>
Hi Reindl Harald Thank you for your reply. I got it. I changed my /usr/local/etc/dovecot/local.conf below. ssl = yes ssl_cert = </usr/local/etc/dovecot/server.pem ssl_key = </usr/local/etc/dovecot/server.key ssl_ca = </usr/local/etc/dovecot/ca.pem ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4 It's work fine. Thank you again Yoshi 2015-01-06 5:59 GMT+09:00 Reindl Harald <h.reindl at thelounge.net>:> > Am 05.01.2015 um 21:53 schrieb Yoshito Takeuchi: >> >> I used >> >> FreeBSD 10.1 >> Dovecot 2.2.15 >> >> I want pop3s, so I made >> >> /usr/local/etc/dovecot/local.conf >> >> ssl = yes >> ssl_cert = </usr/local/etc/dovecot/server.pem >> ssl_key = </usr/local/etc/dovecot/server.key >> ssl_ca = </usr/local/etc/dovecot/ca.pem >> ssl_protocols = !SSLv2 !SSLv3 >> ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLV3:!EXP:!aNULL:!RC4 >> >> It's work fine. >> But, change >> >> ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:!RC4 >> >> ( SSLV3 -> SSLv3 ) >> >> I did trouble >> >> /var/log/maillog >> >> Jan 6 05:41:53 example dovecot: pop3-login: Disconnected (no auth >> attempts in 0 >> secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS >> handshaking, session=<5e9 >> zuO0LVwB+PO8D> >> >> Is this bug ? or I did miss setting? > > > !SSLV3 was wrong and not recognized > !SSLv3 is recognized but bullshit since you want to disable SSLv3 but not > all ciphers which are still valid for newer TLS versions > > you do that already correctly with "ssl_protocols" >