Sorry for the bump... Anyone know if it is possible to have multiple protocols instances with different ssl_protocols settings? Regards. On 07/02/15 00:03, Gionatan Danti wrote:> Hi all, > anyone with some ideas? > > Thanks. > > Il 2015-02-02 23:08 Gionatan Danti ha scritto: >> Hi all, >> I have a question regarding the "ssl_protocols" parameter. >> >> I understand that editing the 10-ssl.conf file I can set the >> ssl_protocols variable as required. >> At the same time, I can edit a single protocol file (eg: 20-pop3.conf) >> to set the ssl_protocols for a specific protocol/listener. >> >> I wander if (and how) I can create a different listener for another >> POP3 instance, for example listening on port 10995, and using another >> ssl_protocol setting. >> >> In short, I would like to create a different, firewalled pop3s service >> enabling the SSLv3 stack, while disabling it at system-wide settings. >> >> I am able to successfully create a new listener for port 10995, but I >> don't understand how to associate the ssl_protocols value to the new >> listener. Simply putting the ssl_protocols value into the listener >> section give me a configuration error. >> >> Thank you all. >-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8
I performed a quick test and it seems that the "ssl_protocols" setting
is per-IP only and shared among all listeners defined for that address. As you
want this setting to be active for one specific "inet_listener" only
(with port 10995 in your case), dovecot would have to permit the
"ssl_protocols" directive in that scope, which it doesn?t.
As a workaround I suggest using a special, unused loopback address to which you
can apply the distinct SSL settings. You could use iptables/NAT to forward all
incoming traffic originating from your external IP on port 10995 to
127.0.0.2:10995 for example. Then configure the POP3 service with an
"inet_listener" for 127.0.0.2:10995 and use the "local"
directive to set up the SSL protocols without touching global settings:
local 127.0.0.2 {
ssl_protocols = !SSLv2
}
Regards,
Felix Zandanel
> Am 09.02.2015 um 11:33 schrieb Gionatan Danti <g.danti at
assyoma.it>:
>
> Sorry for the bump...
>
> Anyone know if it is possible to have multiple protocols instances with
different ssl_protocols settings?
>
> Regards.
>
> On 07/02/15 00:03, Gionatan Danti wrote:
>> Hi all,
>> anyone with some ideas?
>>
>> Thanks.
>>
>> Il 2015-02-02 23:08 Gionatan Danti ha scritto:
>>> Hi all,
>>> I have a question regarding the "ssl_protocols"
parameter.
>>>
>>> I understand that editing the 10-ssl.conf file I can set the
>>> ssl_protocols variable as required.
>>> At the same time, I can edit a single protocol file (eg:
20-pop3.conf)
>>> to set the ssl_protocols for a specific protocol/listener.
>>>
>>> I wander if (and how) I can create a different listener for another
>>> POP3 instance, for example listening on port 10995, and using
another
>>> ssl_protocol setting.
>>>
>>> In short, I would like to create a different, firewalled pop3s
service
>>> enabling the SSLv3 stack, while disabling it at system-wide
settings.
>>>
>>> I am able to successfully create a new listener for port 10995, but
I
>>> don't understand how to associate the ssl_protocols value to
the new
>>> listener. Simply putting the ssl_protocols value into the listener
>>> section give me a configuration error.
>>>
>>> Thank you all.
>>
>
> --
> Danti Gionatan
> Supporto Tecnico
> Assyoma S.r.l. - www.assyoma.it
> email: g.danti at assyoma.it - info at assyoma.it
> GPG public key ID: FF5F32A8
It is precisely what I need, thank you very much. As a side note, I did not found any reference to "local" (and "remote") directive on the wiki (albeit man doveconf showed some references). Where I can find a documentation of all allowed directives? Thanks again. Il 2015-02-09 14:54 Felix Zandanel ha scritto:> I performed a quick test and it seems that the "ssl_protocols" setting > is per-IP only and shared among all listeners defined for that > address. As you want this setting to be active for one specific > "inet_listener" only (with port 10995 in your case), dovecot would > have to permit the "ssl_protocols" directive in that scope, which it > doesn?t. > > As a workaround I suggest using a special, unused loopback address to > which you can apply the distinct SSL settings. You could use > iptables/NAT to forward all incoming traffic originating from your > external IP on port 10995 to 127.0.0.2:10995 for example. Then > configure the POP3 service with an "inet_listener" for 127.0.0.2:10995 > and use the "local" directive to set up the SSL protocols without > touching global settings: > > local 127.0.0.2 { > ssl_protocols = !SSLv2 > } > > Regards, > Felix Zandanel > > >> Am 09.02.2015 um 11:33 schrieb Gionatan Danti <g.danti at assyoma.it>: >> >> Sorry for the bump... >> >> Anyone know if it is possible to have multiple protocols instances >> with different ssl_protocols settings? >> >> Regards. >> >> On 07/02/15 00:03, Gionatan Danti wrote: >>> Hi all, >>> anyone with some ideas? >>> >>> Thanks. >>> >>> Il 2015-02-02 23:08 Gionatan Danti ha scritto: >>>> Hi all, >>>> I have a question regarding the "ssl_protocols" parameter. >>>> >>>> I understand that editing the 10-ssl.conf file I can set the >>>> ssl_protocols variable as required. >>>> At the same time, I can edit a single protocol file (eg: >>>> 20-pop3.conf) >>>> to set the ssl_protocols for a specific protocol/listener. >>>> >>>> I wander if (and how) I can create a different listener for another >>>> POP3 instance, for example listening on port 10995, and using >>>> another >>>> ssl_protocol setting. >>>> >>>> In short, I would like to create a different, firewalled pop3s >>>> service >>>> enabling the SSLv3 stack, while disabling it at system-wide >>>> settings. >>>> >>>> I am able to successfully create a new listener for port 10995, but >>>> I >>>> don't understand how to associate the ssl_protocols value to the new >>>> listener. Simply putting the ssl_protocols value into the listener >>>> section give me a configuration error. >>>> >>>> Thank you all. >>> >> >> -- >> Danti Gionatan >> Supporto Tecnico >> Assyoma S.r.l. - www.assyoma.it >> email: g.danti at assyoma.it - info at assyoma.it >> GPG public key ID: FF5F32A8-- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8