search for: keecdh

> but i try to this command > > openssl s_client -connect mail.mydomain:pop3s -starttls imap > > it says CONNECTED and hang. second command is correct? Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or whatever the hell the terminology is nowadays). If you're testing IMAP, try one or the other or both depending of how many flavours

> TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher > > our dovecot (2.0.9 on redhat) 10-ssl.conf file we have > > ssl_cipher_list = > kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3 Offhand, I don't know of a fast way to match up client cipher specs and server cipher specs. The hard part is trying to figure out what th...

hi, On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote: > I had the same problem when migrating from Dovecot V2.2.36 on, Centos-7 to?Dovecot v2.3.8 on Centos-8 My report is specifically/solely about the addition/use of the Options = ServerPreference parameter. I don't see that in your configuration. Are you using it? In a config using Dovecot's submission proxy?

...r clients: ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH ssl_dh_parameters_length = 2048 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 If your userbase is limited to current clients and OSes, you can take it a bit further: ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!3DES:!aNULL:@STRENGTH ssl_dh_parameters_length = 4096 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 This drops 3DES support and makes forward secrecy mandatory.

On Tue, Dec 02, 2014 at 08:34:50AM -0800, Darren Pilgrim wrote: > On 12/1/2014 9:44 PM, Will Yardley wrote: > > On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > >> On 12/1/2014 4:43 PM, Will Yardley wrote: > >>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config > >>> (in a way that's sane)? > >> >

...e problems the first few times I restarted with ssl-params seeming to hang, but it finally works. I am able to get it to work with just: ssl = required ssl_dh_parameters_length = 4096 ssl_parameters_regenerate = 0 ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!3DES:!aNULL:@STRENGTH Thanks for your help! w

...f look like that : openssl_conf = default_modules [ default_modules ] ssl_conf = ssl_module [ ssl_module ] system_default = crypto_policy [ crypto_policy ] *.include /etc/crypto-policies/back-ends/opensslcnf.config* And /etc/crypto-policies/back-ends/opensslcnf.config : CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 MinProtocol = *TLSv1.1* MaxProtocol = TLSv1.3 Regards Le jeu...

Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!LOW however, doing this seems to make v3 still work unless I

...dea, my bet goes on your > ssl_cipher_list, try this > > # SSL ciphers to use > ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > > or search list archive and www for other better solutions and general > dovecot ssl configs I have this in production: ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!aNULL:-3DES:+AES256:+SHA:AES128-SHA:DES-CBC3-SHA ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 - AES128-SHA & TLSv1 for some Android v4.3 and earlier - DES-CBC3-SHA & TLSv1 for Outlook 2003 on Windows XP - TLSv1 for Thunderbird prior to v27 - TLSv1 for Outlook on Windows V...

Hi Thomas, thank you for your help. This is very strange that it wont work here. can you doveconf -n the relevant parts especially mail_plugins= and plugin { } i think i have misconfigured something :( Regards, Daniel

...ssl = yes } process_limit = 1024 } service pop3-postlogin { executable = script-login /opt/dovecot-cf/bin/lastlogin.py } service pop3 { executable = pop3 pop3-postlogin } service quota-warning { user = vmail } ssl_cert = </usr/local/etc/dovecot/ssl/taunusstein.net.pem ssl_cipher_list = kEECDH:kEDH:AESGCM:ALL:+3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl_dh_parameters_length = 4096 ssl_key = </usr/local/etc/dovecot/ssl/taunusstein.net.key ssl_parameters_regenerate = 1 hours ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 ssl_require_crl = no userdb {...

On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a

...ogin /opt/cfbin/lastlogin.sh } service pop3 { executable = pop3 pop3-postlogin } service quota-warning { executable = script /opt/cfbin/quota-warning.sh user = vmail } ssl_ca = </opt/dovecot/etc/dovecot/client-ca.pem ssl_cert = </opt/dovecot/etc/dovecot/example.net.pem ssl_cipher_list = kEECDH:kEDH:AESGCM:ALL:+3DES:!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl_dh_parameters_length = 4096 ssl_key = </opt/dovecot/etc/dovecot/example.net.key ssl_prefer_server_ciphers = yes ssl_verify_client_cert = yes verbose_ssl = yes protocol imap { imap_client_workarounds = tb-extra-mailbox-sep mail_max_u...

Hi Folks, after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine. I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = </var/qmail/control/servercert.pem

...ipc { unix_listener ipc { user = dovecot } } service lmtp { inet_listener lmtp { port = 24 } } service managesieve-login { inet_listener sieve { address = mailbox01.example.de } } service pop3-login { executable = pop3-login director } ssl = no ssl_cipher_list = kEECDH+aRSA+AES256:kEDH+aRSA+AES256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA ssl_dh_parameters_length = 4096 ssl_options = no_compression ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 !TLSv1.1 userdb { args = /etc/dovecot/ldap.conf driver = ldap } verbose_proctitle = yes protocol lmtp...