search for: krsa

> but i try to this command > > openssl s_client -connect mail.mydomain:pop3s -starttls imap > > it says CONNECTED and hang. second command is correct? Uh, "pop3s" != "imap", and IMAP/STARTTLS is not the same as IMAP/SSL (or whatever the hell the terminology is nowadays). If you're testing IMAP, try one or the other or both depending of how many flavours

> TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher > > our dovecot (2.0.9 on redhat) 10-ssl.conf file we have > > ssl_cipher_list = > kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES:!SSLv3 Offhand, I don't know of a fast way to match up client cipher specs and server cipher specs. The hard part is trying to figure out what the client is doing. Maybe you can turn on dovecot "verbose_...

...x server, I see: Anonymous TLS connection established from * TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) how can I tell dovecot to use AES256, instead of AES128 ? is this set by ssl_cipher_list ? Here are my current values (defaults) # doveconf ssl_cipher_list ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH # dovecot --version 2.3.4.1 thanks,

...i Tuomi <aki.tuomi at dovecot.fi>: > > > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> > wrote: > > > > > > Thank You for answers. But: > > 1. How should be properly configured ssl_cipher_list? > > ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:! > 3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > To disable non-EC DH, use: > > ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: > !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > > 2. Ok, removed !TLSv1...

...r /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 ssl = yes } } ssl = required ssl_cert = </etc/ssl/private/imap.toppoint.de.crt ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/imap.toppoint.de.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv3 !SSLv2 userdb { driver = passwd } protocol lmtp { mail_plugins = sieve } protocol...

...il 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> > >> wrote: > >> > > >> > > >> > Thank You for answers. But: > >> > 1. How should be properly configured ssl_cipher_list? > >> > >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU > >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > >> > >> To disable non-EC DH, use: > >> > >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: > >> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH...

Thank You for answers. But: 1. How should be properly configured ssl_cipher_list? 2. Ok, removed !TLSv1 !TLSv1.1. 3. Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two lines looks exactly this same and no errors in mail.err file and mailes works without any problem. 4. No, currently I don't use LMTP.

...ca = #ssl_require_crl = yes #ssl_client_ca_dir = #ssl_client_ca_file = #ssl_verify_client_cert = no #ssl_cert_username_field = commonName #ssl_dh_parameters_length = 1024 #ssl_protocols = !SSLv3 # SSL ciphers to use # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: !RC4:!ADH:!LOW at STRENGTH # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # SSL crypto device to...

> On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> wrote: > > > Thank You for answers. But: > 1. How should be properly configured ssl_cipher_list? ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > 2. Ok, removed !TLSv1 !TLSv1.1. > 3. Strange thing with s...

hi, On 10/1/20 12:21 AM, JEAN-PAUL CHAPALAIN wrote: > I had the same problem when migrating from Dovecot V2.2.36 on, Centos-7 to?Dovecot v2.3.8 on Centos-8 My report is specifically/solely about the addition/use of the Options = ServerPreference parameter. I don't see that in your configuration. Are you using it? In a config using Dovecot's submission proxy?

...ssl_cert = /etc/certbot/live/privustech.com/fullchain.pem ssl_key = /etc/certbot/live/privustech.com/privkey.pem ssl_dh = /etc/dovecot/dh.pem #(yes, it took five hours to create...) ssl_min_protocol = TLSv1 ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH ssl_prefer_server_ciphers = no 3. We have checked 10-ssl.conf against the 2.3 default at https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf 4. We do NOT include the...

...> >> >> > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl> >> wrote: >> > >> > >> > Thank You for answers. But: >> > 1. How should be properly configured ssl_cipher_list? >> >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH >> >> To disable non-EC DH, use: >> >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: >> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH >> &gt...

...erwis <serwis at poliman.pl> > > >> wrote: > > >> > > > >> > > > >> > Thank You for answers. But: > > >> > 1. How should be properly configured ssl_cipher_list? > > >> > > >> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU > > >> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > >> > > >> To disable non-EC DH, use: > > >> > > >> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS: > > >> !aNULL:!eNULL:!EXPORT:...

...#(yes, it took five hours to create...) Hi! You should use ssl_cert =</etc/certbot/live/privustech.com/fullchain.pem ssl_key =</etc/certbot/live/privustech.com/privkey.pem ssl_dh =</etc/dovecot/dh.pem > ssl_min_protocol = TLSv1 > ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > ssl_prefer_server_ciphers = no > You should set ssl_prefer_server_ciphers = yes. > 3. We have checked 10-ssl.conf against the 2.3 default at > https://github.com/dovecot/core/blob/...

...established from * TLSv1 with cipher > ECDHE-RSA-AES256-SHA (256/256 bits) > > how can I tell dovecot to use AES256, instead of AES128 ? > > is this set by ssl_cipher_list ? Here are my current values (defaults) > > # doveconf ssl_cipher_list > ssl_cipher_list = > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > > # dovecot --version > 2.3.4.1 > > thanks, Perhaps your client does not support it? Also, you could try the *default* cipher list (unset ssl_cipher_list), which is reasonable. Also make sure...

...like that : openssl_conf = default_modules [ default_modules ] ssl_conf = ssl_module [ ssl_module ] system_default = crypto_policy [ crypto_policy ] *.include /etc/crypto-policies/back-ends/opensslcnf.config* And /etc/crypto-policies/back-ends/opensslcnf.config : CipherString = @SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 MinProtocol = *TLSv1.1* MaxProtocol = TLSv1.3 Regards Le jeu. 1 o...

...es' protocol, i.e. ManageSieve with TLS from the start. It doesn't exist by the standard. ManageSieve only uses the STARTTLS command. Leave out the ssl=yes here. > } > ssl = required > ssl_cert = </etc/ssl/private/imap.toppoint.de.crt > ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES > ssl_dh_parameters_length = 2048 > ssl_key = </etc/ssl/private/imap.toppoint.de.pem > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv3 !SSLv2 > userdb { > driver = passwd > } > protocol l...

...fy_client_cert = no > > #ssl_cert_username_field = commonName > > #ssl_dh_parameters_length = 1024 > > #ssl_protocols = !SSLv3 > > > > # SSL ciphers to use > > # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > ssl_cipher_list = > > ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: > > !RC4:!ADH:!LOW at STRENGTH > > > > # Prefer the server's order of ciphers over client's. > > #ssl_prefer_server_ciphers = no > > > > # Prefer the server's order of ciphers over client...

...up = postfix mode = 0666 user = postfix } user = root } ssl = required ssl_alt_cert = </etc/letsencrypt/live/mx02.esslmaier.at/fullchain.pem ssl_alt_key = # hidden, use -P to show it ssl_cert = </etc/letsencrypt/live/mx02.esslmaier.at/fullchain-ecdsa.pem ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:! 3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH ssl_client_ca_file = </etc/pki/tls/cert.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.1 ssl_options = no_compression userdb { driver = passwd } userd...

...p lmtp sieve sieve service imap-login { inet_listener imap { port = 0 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0666 user = postfix } } ssl = required ssl_cert = </etc/ssl/dovecot/somehost.cert.pem ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:! 3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = username_format=%u /etc/dovecot/users driver = passwd-file } verbose_ssl = yes protocol...