When my client connects, I see this in my log: dovecot: imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) Whereas, when client connects to my postfix server, I see: Anonymous TLS connection established from * TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) how can I tell dovecot to use AES256, instead of AES128 ? is this set by ssl_cipher_list ? Here are my current values (defaults) # doveconf ssl_cipher_list ssl_cipher_list ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH # dovecot --version 2.3.4.1 thanks,
> On 28/10/2019 16:12 Fourhundred Thecat via dovecot <dovecot at dovecot.org> wrote: > > > When my client connects, I see this in my log: > > dovecot: imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 > bits) > > Whereas, when client connects to my postfix server, I see: > > Anonymous TLS connection established from * TLSv1 with cipher > ECDHE-RSA-AES256-SHA (256/256 bits) > > how can I tell dovecot to use AES256, instead of AES128 ? > > is this set by ssl_cipher_list ? Here are my current values (defaults) > > # doveconf ssl_cipher_list > ssl_cipher_list > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > # dovecot --version > 2.3.4.1 > > thanks,Perhaps your client does not support it? Also, you could try the *default* cipher list (unset ssl_cipher_list), which is reasonable. Also make sure you have 'ssl_prefer_server_ciphers=yes', so that the server-side priority list is used. aki
> On 2019-10-28 15:36, Aki Tuomi wrote: > Also, you could try the *default* cipher list (unset ssl_cipher_list), which is reasonable. Also make sure you have 'ssl_prefer_server_ciphers=yes', so that the server-side priority list is used.setting ssl_prefer_server_ciphers=yes did the trick. Now my imap client uses ECDHE-RSA-AES256-SHA many thanks,
The funny thing is AES128 may be harder to break than AES256. https://www.schneier.com/blog/archives/2009/07/another_new_aes.html It had been a decade, so it would be interesting if Bruce Schneier has the same opinion. I just use the defaults. ? Original Message ? From: dovecot at dovecot.org Sent: October 28, 2019 7:13 AM To: dovecot at dovecot.org Reply-to: 400thecat at gmx.ch Subject: changing cipher for imap clients When my client connects, I see this in my log: ? dovecot:? imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) Whereas, when client connects to my postfix server, I see: ? Anonymous TLS connection established from * TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) how can I tell dovecot to use AES256, instead of AES128 ? is this set by ssl_cipher_list ? Here are my current values (defaults) # doveconf ssl_cipher_list ssl_cipher_list ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH # dovecot --version 2.3.4.1 thanks,