Displaying 20 results from an estimated 21 matches for "ssl_curve_list".
2017 Dec 25
0
ssl_curve_list seems to be ignored with Dovecot 2.3
Hi all,
after upgrading to Dovecot 2.3, I've noticed the new "ssl_curve_list"
TLS option in 10-ssl.conf.
Setting it to "ssl_curve_list = X25519:P-256" or leaving it blank (auto)
does not change anything, Dovecot keeps on negotiating P-384: Server
Temp Key: ECDH, P-384, 384 bits
When using "-curves X25519" in s_client, it does a fallback to DH:
Serv...
2018 Jul 31
2
2.3.2.1 - EC keys suppport?
...with the OpenSSL API and only roughly gather
> that the app (dovecot) would have to make the API call [
> SSL_CTX_set1_groups_list ]
> (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html)
> in order to support those curves.
>
>
Whoops.
We have a setting called `ssl_curve_list` in dovecot, and I tried using
that when I was testing. Turns out that there is a bug preventing that
setting from being used. If you are compiling yourself, you can use the
attached patch to fix this.
After applying, you can set
ssl_curve_list = brainpoolP512r1
And then you can connect again....
2018 Jul 30
2
2.3.2.1 - EC keys suppport?
>>>> I did some local testing and it seems that you are using a curve
>>>> that is not acceptable for openssl as a server key.
>>>> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem
>>>> -port 5555
>>>> using cert generated with brainpool. Everything works if I use
>>>> prime256v1 or secp521r1. This is a
2018 Jul 31
0
2.3.2.1 - EC keys suppport?
...gather
>> that the app (dovecot) would have to make the API call [
>> SSL_CTX_set1_groups_list ]
>> (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html)
>> in order to support those curves.
>>
>>
> Whoops.
>
> We have a setting called `ssl_curve_list` in dovecot, and I tried using
> that when I was testing. Turns out that there is a bug preventing that
> setting from being used. If you are compiling yourself, you can use the
> attached patch to fix this.
>
> After applying, you can set
>
> ssl_curve_list = brainpoolP512r1
&...
2018 Jul 31
2
2.3.2.1 - EC keys suppport?
...ovecot) would have to make the API call [
>>> SSL_CTX_set1_groups_list ]
>>> (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html)
>>> in order to support those curves.
>>>
>>>
>> Whoops.
>>
>> We have a setting called `ssl_curve_list` in dovecot, and I tried using
>> that when I was testing. Turns out that there is a bug preventing that
>> setting from being used. If you are compiling yourself, you can use the
>> attached patch to fix this.
>>
>> After applying, you can set
>>
>> ssl_cu...
2019 Mar 24
0
Cannot get sieve script replication to work
...CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA
ssl_client_ca_dir = /etc/ssl/certs
ssl_curve_list = X25519:P-256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_compression, no_ticket
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
mail_plugins = quota ol...
2018 Dec 19
1
How to configure Dovecot to disable NIST's curves and still rertain EECDH?
My opinion is that security by RFC is not security, it's mommy medicine.
Standards have had a terrible time keeping up with security realities.
NITS's curves leak side channel information all over the place. I don't
have details on what implementations are set to calculate the NIST
curves in constant time, and that's not an easy feat to do anyway so I
don't want to depend
2020 Apr 25
4
problem with a public folder
...mode = 0660
user = vmail
}
}
service welcome {
executable = script /usr/local/etc/dovecot/welcome.sh
unix_listener welcome {
user = vmail
}
user = vmail
}
ssl = required
ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_curve_list = P-256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_ticket
ssl_prefer_server_ciphers = yes
userdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
mail_fsync = optimized
mail_plugin...
2020 Apr 13
5
got a listener on 993
...0
user = vhostname
}
}
service welcome {
executable = script /usr/local/etc/dovecot/welcome.sh
unix_listener welcome {
user = vhostname
}
user = vhostname
}
ssl = required
ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_curve_list = P-256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_ticket
ssl_prefer_server_ciphers = yes
userdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
hostname_fsync = optimized
hostnam...
2020 Sep 24
3
dovecot TSL 1.3 config option 'ssl_ciphersuites' causes fatal error on launch. not supported, bad config, or bug?
...ice_ssl_settings_get(service);
if (strcmp(set->ssl, "no") == 0) {
/* SSL disabled, don't use it */
return;
}
i_zero(&ssl_set);
ssl_set.min_protocol = set->ssl_min_protocol;
ssl_set.cipher_list = set->ssl_cipher_list;
ssl_set.curve_list = set->ssl_curve_list;
ssl_set.ca = set->ssl_ca;
...
there's only mention of
set->ssl_cipher_list
, not
set->ssl_ciphersuites
or equivalent, afaict.
if in dovecot's 10-ssl.conf I set
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA2...
2019 Oct 14
0
Panic: file smtp-client-connection.c: line 1212 (smtp_client_connection_established): assertion failed: (!conn->connect_succeeded)
...list =
> TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256
> ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
> ssl_curve_list = X25519:secp521r1:secp384r1
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> ssl_options = no_ticket
> ssl_prefer_server_ciphers = yes
> submission_client_workarounds = whitespace-before-path
> submission_max_mail_size = 50000 k
> submission_relay_host =...
2020 Apr 25
2
problem with a public folder
...mode = 0660
user = vmail
}
}
service welcome {
executable = script /usr/local/etc/dovecot/welcome.sh
unix_listener welcome {
user = vmail
}
user = vmail
}
ssl = required
ssl_cert = </usr/local/etc/ssl/acme.sh/domain.com/fullchain.crt
ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
ssl_curve_list = P-256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_ticket
ssl_prefer_server_ciphers = yes
userdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
mail_fsync = optimized
mail_plugin...
2020 Apr 14
0
got a listener on 993
...executable = script /usr/local/etc/dovecot/welcome.sh
> unix_listener welcome {
> user = vhostname
> }
> user = vhostname
> }
> ssl = required
> ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
> ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
> ssl_curve_list = P-256
> ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
> ssl_options = no_ticket
> ssl_prefer_server_ciphers = yes
> userdb {
> args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
> driver = sql
> }
> pr...
2020 Apr 25
0
problem with a public folder
...vice welcome {
> executable = script /usr/local/etc/dovecot/welcome.sh
> unix_listener welcome {
> user = vmail
> }
> user = vmail
>}
>ssl = required
>ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt
>ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM
>ssl_curve_list = P-256
>ssl_dh = # hidden, use -P to show it
>ssl_key = # hidden, use -P to show it
>ssl_min_protocol = TLSv1.2
>ssl_options = no_ticket
>ssl_prefer_server_ciphers = yes
>userdb {
> args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
> driver = sql
>}
>protocol lmtp...
2019 Jun 16
1
Dovecot, quota, warning, and issue with setup?
...rvice welcome {
executable = script /usr/local/etc/dovecot/welcome.sh
unix_listener welcome {
user = vmail
}
user = vmail
}
ssl = required
ssl_cert = </usr/local/etc/ssl/acme.sh/example.net/fullchain.crt
ssl_cipher_list = ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1
ssl_curve_list = P-256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_ticket
ssl_prefer_server_ciphers = yes
userdb {
args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
info_log_path = /var/log/dovecot/dov...
2019 Feb 01
2
Crash when using dict quotas with sqlite database
...CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA
ssl_client_ca_dir = /etc/ssl/certs
ssl_curve_list = X25519:P-256
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.2
ssl_options = no_compression, no_ticket
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
protocol lmtp {
mail_plugins = quota ol...
2019 Oct 11
2
Panic: file smtp-client-connection.c: line 1212 (smtp_client_connection_established): assertion failed: (!conn->connect_succeeded)
....pemssl_cipher_list = TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-
CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS-AES-256-GCM-
SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS-
AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256ssl_client_ca_file =
/etc/ssl/certs/ca-certificates.crtssl_curve_list =
X25519:secp521r1:secp384r1ssl_key = # hidden, use -P to show
itssl_min_protocol = TLSv1.2ssl_options =
no_ticketssl_prefer_server_ciphers = yessubmission_client_workarounds =
whitespace-before-pathsubmission_max_mail_size = 50000
ksubmission_relay_host = mta2.example.comsubmission_relay_ssl =
sta...
2020 Jul 03
0
Quota: How/where to set/change
...cert_username_field = commonName
| ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
| ssl_client_ca_dir =
| ssl_client_ca_file =
| ssl_client_cert =
| ssl_client_key =
| ssl_client_require_valid_cert = yes
| ssl_crypto_device =
| ssl_curve_list =
| ssl_dh = # hidden, use -P to show it
| ssl_key = # hidden, use -P to show it
| ssl_key_password =
| ssl_min_protocol = TLSv1
| ssl_options =
| ssl_prefer_server_ciphers = no
| ssl_require_crl = yes
| ssl_verify_client_cert = no
| state_dir = /var/lib/dovecot
| stats_writer_socket_path = stat...
2020 Aug 25
2
zlib errors after upgrading
> On 25/08/2020 14:35 Robert Nowotny <rnowotny at rotek.at> wrote:
>
>
> I get ZLIB Errors after dovecot upgrade from 2.3.10.1 to 2.3.11.3
>
>
> Aug 21 15:27:34 lxc-imap dovecot: imap(acsida)<63870><jZk...>: Error: Mailbox Sent: UID=40826: read(zlib(/home/vmail/virtualmailboxes/acsida/storage/m.2409)) failed:
2019 Mar 30
3
Trying to track down source of duplicate messages
...lt_cert =
ssl_alt_key =
ssl_ca =
ssl_cert = </etc/letsencrypt/fullchain.pem
ssl_cert_username_field = commonName
ssl_cipher_list =
ALL:!LOW:!EXP:!aNULL:!RC4::!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
ssl_client_ca_dir =
ssl_client_ca_file =
ssl_client_cert =
ssl_client_key =
ssl_crypto_device =
ssl_curve_list =
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_key_password =
ssl_min_protocol = TLSv1
ssl_options =
ssl_prefer_server_ciphers = yes
ssl_require_crl = yes
ssl_verify_client_cert = no
state_dir = /var/lib/dovecot
stats_writer_socket_path = stats-writer
submission_cl...