Hi all, when hardening dovecot against the POODLE vulnerability, we followed the advise to disable SSL2 and SSL3 but this is giving problems with some email clients (claws-mail). ssl_protocols = !SSLv2 !SSLv3 results in the following error: dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<2C8jBjIMmQBVGNd1> Our smtp server is postfix, can you please suggest a better 'ssl_protocols' and 'ssl_cipher_list' configuration ? We are running Debian 7 Wheezy Thank you, RuggedInbox team
doveconf -n output? On 1/9/2015 2:07 AM, ml at ruggedinbox.com <ml at ruggedinbox.com> wrote:> Hi all, when hardening dovecot against the POODLE vulnerability, > we followed the advise to disable SSL2 and SSL3 > but this is giving problems with some email clients (claws-mail). > > ssl_protocols = !SSLv2 !SSLv3 > > results in the following error: > > dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, > rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, > session=<2C8jBjIMmQBVGNd1> > > Our smtp server is postfix, can you please suggest a better > 'ssl_protocols' and 'ssl_cipher_list' configuration ? > We are running Debian 7 Wheezy > > Thank you, > RuggedInbox team >
Hi thanks for your help,
follows the doveconf -n output:
# 2.1.7: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-042stab094.7 x86_64 Debian 7.7 simfs
auth_mechanisms = plain login
auth_verbose = yes
debug_log_path = /var/log/dovecot/debug.log
default_client_limit = 8192
default_process_limit = 2048
director_username_hash = %Lu
dsync_remote_cmd = ssh -l%{login} %{host} doveadm dsync-server -u%u -U
first_valid_gid = 5000
first_valid_uid = 5000
imap_id_send = name *
last_valid_gid = 5000
last_valid_uid = 5000
login_greeting = Welcome to ruggedinbox.com
mail_gid = vmail
mail_location =
maildir:/var/vmail/%d/%n/Maildir:INDEX=/var/vmail/%d/%n/Maildir/indexes
mail_max_userip_connections = 25
mail_privileged_group = vmail
mail_shared_explicit_inbox = no
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /etc/dovecot/mysql.conf
driver = sql
}
postmaster_address = postmaster at ruggedinbox.com
protocols = imap pop3 sieve
replication_full_sync_interval = 1 days
service auth {
client_limit = 0
drop_priv_before_exec = no
executable = auth
idle_kill = 0
process_limit = 1
process_min_avail = 0
service_count = 0
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-client {
mode = 0600
}
unix_listener auth-login {
mode = 0600
user = $default_internal_user
}
unix_listener auth-master {
mode = 0600
}
unix_listener auth-userdb {
mode = 0666
user = $default_internal_user
}
unix_listener login/login {
mode = 0666
}
user = $default_internal_user
vsz_limit = 128 M
}
service imap-login {
chroot = login
client_limit = 0
drop_priv_before_exec = no
executable = imap-login
idle_kill = 0
inet_listener imap {
port = 143
ssl = no
}
inet_listener imaps {
port = 993
ssl = yes
}
process_limit = 0
process_min_avail = 0
protocol = imap
service_count = 1
type = login
user = $default_login_user
vsz_limit = 128 M
}
service imap {
client_limit = 1
drop_priv_before_exec = no
executable = imap
idle_kill = 0
process_limit = 1024
process_min_avail = 0
protocol = imap
service_count = 1
unix_listener login/imap {
group mode = 0666
user }
vsz_limit = 128 M
}
service lmtp {
client_limit = 1
drop_priv_before_exec = no
executable = lmtp
idle_kill = 0
process_limit = 0
process_min_avail = 0
protocol = lmtp
service_count = 0
unix_listener lmtp {
mode = 0666
}
vsz_limit = 128 M
}
service pop3-login {
chroot = login
client_limit = 0
drop_priv_before_exec = no
executable = pop3-login
idle_kill = 0
inet_listener pop3 {
port = 110
ssl = no
}
inet_listener pop3s {
port = 995
ssl = yes
}
process_limit = 0
process_min_avail = 0
protocol = pop3
service_count = 1
type = login
user = $default_login_user
vsz_limit = 128 M
}
service pop3 {
client_limit = 1
drop_priv_before_exec = no
executable = pop3
idle_kill = 0
process_limit = 1024
process_min_avail = 0
protocol = pop3
service_count = 1
unix_listener login/pop3 {
mode = 0666
}
vsz_limit = 128 M
}
shutdown_clients = no
ssl_cert = </etc/ssl2/certs/postfix.pem
ssl_key = </etc/ssl2/private/postfix.key
ssl_protocols = !SSLv2 !SSLv3
userdb {
args = /etc/dovecot/mysql.conf
driver = sql
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-userdb
log_path = /var/log/dovecot/dovecot-deliver.log
mail_plugins = sieve
postmaster_address = postmaster at ruggedinbox.com
}
Thanks and regards,
RuggedInbox team
On 2015-01-09 07:38, Charles Marcus wrote:> doveconf -n output?
>
> On 1/9/2015 2:07 AM, ml at ruggedinbox.com <ml at ruggedinbox.com>
wrote:
>> Hi all, when hardening dovecot against the POODLE vulnerability,
>> we followed the advise to disable SSL2 and SSL3
>> but this is giving problems with some email clients (claws-mail).
>>
>> ssl_protocols = !SSLv2 !SSLv3
>>
>> results in the following error:
>>
>> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs):
>> user=<>,
>> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
>> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
>> session=<2C8jBjIMmQBVGNd1>
>>
>> Our smtp server is postfix, can you please suggest a better
>> 'ssl_protocols' and 'ssl_cipher_list' configuration ?
>> We are running Debian 7 Wheezy
>>
>> Thank you,
>> RuggedInbox team
>>
Am 09.01.2015 um 08:07 schrieb ml at ruggedinbox.com:> Hi all, when hardening dovecot against the POODLE vulnerability, > we followed the advise to disable SSL2 and SSL3 > but this is giving problems with some email clients (claws-mail). > > ssl_protocols = !SSLv2 !SSLv3 > > results in the following error: > > dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, > rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, > session=<2C8jBjIMmQBVGNd1> > > Our smtp server is postfix, can you please suggest a better > 'ssl_protocols' and 'ssl_cipher_list' configuration ? > We are running Debian 7 Wheezy > > Thank you, > RuggedInbox teamHi, this is my config on Wheezy. I don't know if it's 'best', but it works for us: # SSL protocols to use ssl_protocols = !SSLv2 !SSLv3 # Prefer the server's order of ciphers over client's. ssl_prefer_server_ciphers = yes ssl_cipher_list ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2 Cheers, Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4296 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150109/47e1bd77/attachment-0001.p7s>
Hi thanks for your help! Trying to set your same parameters, when restarting dovecot, gives the error: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers and if trying to comment the line with 'ssl_prefer_server_ciphers', dovecot restarts fine but same problem as before, claws-mail can't connect. dovecot version is 2.1.7 any hints ? On 2015-01-09 07:50, Philipp Resch wrote:> Am 09.01.2015 um 08:07 schrieb ml at ruggedinbox.com: >> Hi all, when hardening dovecot against the POODLE vulnerability, >> we followed the advise to disable SSL2 and SSL3 >> but this is giving problems with some email clients (claws-mail). >> >> ssl_protocols = !SSLv2 !SSLv3 >> >> results in the following error: >> >> dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): >> user=<>, >> rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: >> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, >> session=<2C8jBjIMmQBVGNd1> >> >> Our smtp server is postfix, can you please suggest a better >> 'ssl_protocols' and 'ssl_cipher_list' configuration ? >> We are running Debian 7 Wheezy >> >> Thank you, >> RuggedInbox team > > Hi, > > this is my config on Wheezy. I don't know if it's 'best', but it works > for us: > > # SSL protocols to use > ssl_protocols = !SSLv2 !SSLv3 > # Prefer the server's order of ciphers over client's. > ssl_prefer_server_ciphers = yes > ssl_cipher_list > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!SSLv2 > > > Cheers, > Philipp
Possibly Parallel Threads
- dovecot on wheezy, best ssl configuration ?
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help
- confused with ssl settings and some error - need help