search for: cipherlist

Don't know if this was corrected in 2.3.4 (haven't upgraded yet but didn't see it in the notes) - but in 2.3.3 I see this in my log: imap-login: Error: Diffie-Hellman key exchange requested, but no DH parameters provided. Set ssh_dh=</path/to/dh.pem So...either there's an undocumented feature of SSH-over-IMAP (that's Dovecot - always on the cutting edge!) or someone had

Hello, I'm running dovecot 2.29 on a freebsd 10.3 system. I'm wanting to optimize how the system is running and have a few misc questions. First ssl, is my cipher list good? I'm trying for pfs and wanting to ensure these cipherlist is appropriate: ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH Next, a new feature that I'm trying for is virtual folders that store All messages. My understanding of this is that it stores a version of every received message in one place? I've got the virtual plugin lo...

I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f. A few months ago there was an update to all these systems and since then I've had to talk W7 and old Mac clients through disabling ports 993/995 with TLS enabled back to ports 143/110 without SSL or they could not pick up email. Thunderbird users (ie; me) were unaffected. Could anyone share a set of port 993/995 SSL

...lt;br> </div> <div> -- </div> <div> Daniel </div> </blockquote> <div> <br> </div> <div> It's a typo. We made non-ec DH optional in 2.3.4. This means you can remove all non-ec dh crypto algos from cipherlist. This was because ec support is pretty good and generating safe dh parameters takes a very long time, so one can simply stop supporting non-ec dh based algorithms. </div> <div class="io-ox-signature"> --- <br>Aki Tuomi </div> </body> </html&g...

...</div> </blockquote> <div> <br> </div> <div> ssl_min_protocol = TLSv1.0 </div> <div> ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL </div> <div> <br> </div> <div> if this works try tuning cipherlists to more secure value. </div> <div> <br> </div> <div> --- </div> <div class="io-ox-signature"> <pre>Aki Tuomi</pre> </div> </body> </html>

...n7 and up. >> >> Yes I know Win7 is no longer supported but that does not help the 100s >> of older users I have that can't/won't upgrade their computers. > > ssl_min_protocol = TLSv1.0 > ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL > > if this works try tuning cipherlists to more secure value. > > --- > Aki Tuomi Since you mention the newest Ubuntu version, it may (most likely) be necessary to enable TLS 1.0 / 1.1 in openssl as well. I ran into this with Debian 10 some time ago. /etc/ssl/openssl.conf [system_default_sect] -MinProtocol = TLSv1.2 +MinP...

> but i try to this command > > openssl s_client -connect mail.mydomain:pop3s -starttls imap > > it says CONNECTED and hang. second command is correct? Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or whatever the hell the terminology is nowadays). If you're testing IMAP, try one or the other or both depending of how many flavours

...; I'm running dovecot 2.29 on a freebsd 10.3 system. I'm wanting to >> >> optimize how the system is running and have a few misc questions. >> >> >> >> First ssl, is my cipher list good? I'm trying for pfs and wanting to >> >> ensure these cipherlist is appropriate: >> >> >> >> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH >> >> >> > >> > I would add @STRENGTH to the end, so it'll get sorted by strengthness. >> > >> >> Next, a new feature that I...

Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at PoMec.Net>: > On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote: >> Everyone, >> >> Looks like the new version of oppenssl has broken my sendmail's use >> of >> tls. Has anyone else had this problem or seen a fix? >> >> Greg Ennis >>

...on what went wrong; currently client simply aborts with zero info. 4. If fips is enabled and sshd_config has ciphers which are incompatible in fips mode, sshd should throw a warning and use the next available fips complaint cipher from the list. Even now, we can do the following in sshd_config, cipherlist aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com But we have to do it in all the server instances. I think this should be handled by server considering fips scenario. Please feel free to correct me if I'm wrong here. -- Yo...

...gt; > >> I'm running dovecot 2.29 on a freebsd 10.3 system. I'm wanting to > >> optimize how the system is running and have a few misc questions. > >> > >> First ssl, is my cipher list good? I'm trying for pfs and wanting to > >> ensure these cipherlist is appropriate: > >> > >> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH > >> > > > > I would add @STRENGTH to the end, so it'll get sorted by strengthness. > > > >> Next, a new feature that I'm trying for is virtual f...

...vecot 2.29 on a freebsd 10.3 system. I'm wanting to > >> >> optimize how the system is running and have a few misc questions. > >> >> > >> >> First ssl, is my cipher list good? I'm trying for pfs and wanting to > >> >> ensure these cipherlist is appropriate: > >> >> > >> >> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH > >> >> > >> > > >> > I would add @STRENGTH to the end, so it'll get sorted by strengthness. > >> > > >> &g...