search for: ssl_dh_parameters_length

Hi, I couldn't really find documentation about ssl_dh_parameters_length except for mention in passing on the page https://wiki2.dovecot.org/SSL/DovecotConfiguration For version 2.3 and above is that setting necessary? If so what are the values I can use, is setting it high like 4096 beneficial or make any problems for clients? Thanks for assistance.

...some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2 The certificate is from Comodo using sha256. Any idea? Oliver -- Protect your environment - close windows and adopt a penguin! -------------- next part -------------- A non-text attachment was scrubbed......

...? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > > Yes to both. If you need to support older clients: > > ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH > ssl_dh_parameters_length = 2048 > ssl_parameters_regenerate = 0 > ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? It seems that if ssl_cipher_list is defined, ssl_protocols =...

Dear Team I have faced issue with email downloading in the email client by using pop3 SSL port 995 in dovecot v2.1.17 for outlook client 2016 on production environment. As per my troubleshooting on my test environment, I have upgraded dovecot version v2.2.28, and changed paramer "ssl_dh_parameters_length = 2048" and "verbose_ssl = yes", The issue seems to be resolved in dovecot v2.2.28. What can i do to resolve this issue in dovecot v2.1.17 in Production environment? Kindly help. Thanks a lot in advance. Regards, Bhushan Bhosale

Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!LOW however, doing this seems to make v3 still work unless I

Based on the recent found weaknesses in DH key exchange, http://weakdh.org/ I increased ssl_dh_parameters_length to 2048 bits, and found waited for 5+ minutes for dovecot to come back online after a restart. Unless you got a fast machine, the initialization of DH parameters can exceed your patience. Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if Dovecot uses old parameters until rege...

Hello, after switching from version 2.2.7 to 2.2.7 I miss the loglines which say: ssl-params: Generating SSL parameters ssl-params: SSL parameters regeneration completed The configuration has not been changed and reads: | # 2.2.7: /usr/local/dovecot/etc/dovecot/dovecot.conf | # OS: Linux 2.6.35.14-106.fc14.i686.PAE i686 Fedora release 14 (Laughlin) ext3 | auth_mechanisms = plain login |

...hese ciphers, while still keeping my config >>>> easy to parse and avoiding duplicative or deprecated configs? >>> >>> Yes to both. If you need to support older clients: >>> >>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH >>> ssl_dh_parameters_length = 2048 >>> ssl_parameters_regenerate = 0 >>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 >> >> But why does ssl_protocols behave differently depending on if >> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? >> >> I...

...e config > (in a way that's sane)? > Is there a way to exclude these ciphers, while still keeping my config > easy to parse and avoiding duplicative or deprecated configs? Yes to both. If you need to support older clients: ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH ssl_dh_parameters_length = 2048 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 If your userbase is limited to current clients and OSes, you can take it a bit further: ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!3DES:!aNULL:@STRENGTH ssl_dh_parameters_length = 4096 ssl_parameters_regenerat...

...evious Mail:==========I have faced issue with email downloading in the email client by using pop3s SSL port 995 in dovecot v2.1.17 for outlook client 2016 on production environment. As per my troubleshooting on my test environment, I have upgraded dovecot version v2.2.28, and changed paramer "ssl_dh_parameters_length = 2048" and "verbose_ssl = yes", The issue seems to be resolved in dovecot v2.2.28. What can i do to resolve this issue in dovecot v2.1.17? Kindly help.

...n >> this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. >> >> I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 >> >> ssl_cert = </var/qmail/control/servercert.pem >> ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH >> ssl_dh_parameters_length = 2048 >> ssl_key = </var/qmail/control/servercert.pem >> ssl_protocols = !SSLv2 !TLSv1.2 >> >> The certificate is from Comodo using sha256. >> >> Any idea? >> >> Oliver >> > > there is no "Outlook", please do a exact debug wh...

...ficate, so I did (same CA). The new > certificate works fine in Apache and Postfix. But when I update Dovecot > to use the same certificate, and restart the server, Dovecot stops > responding to connects. > ... > Here is the end of the dovecot -n file that mentions SSL: > ... > ssl_dh_parameters_length = 2048 When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%? It's possible it's generating ephemeral DH keys. In a previous post to this list, I note that the run time to generate these keys can vary wildly, and gets worse with longer keys. Sometimes you get lucky, an...

...ed shorter (<= 1024 bit) primes. Using shorter primes, and regenerating DH parameters at regular intervals, is only a linear-time improvement. By contrast, generating longer DH parameters (without bothering to regenerate) is an EXPONENTIAL improvement in security. So the best setting is to set ssl_dh_parameters_length as large as feasible ([2] recommends 2048 bits), and NOT to regenerate. [1] http://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test [2] https://weakdh.org/sysadmin.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp...

...y = </etc/postfix/smtpd.key ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384[image: :D]HE-RSA-AES128-GCM-SHA256[image: :D]HE-DSS-AES$ ssl_prefer_server_ciphers = yes ssl_dh_parameters_length = 2048 mail_max_userip_connections = 100 passdb { # args = /etc/dovecot/dovecot-sql.conf # driver = sql driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } Of course I created cram-md5.pw...

...user = postfix } } service managesieve-login { inet_listener sieve { port = 4190 ssl = yes } } ssl = required ssl_cert = </etc/ssl/private/imap.toppoint.de.crt ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES ssl_dh_parameters_length = 2048 ssl_key = </etc/ssl/private/imap.toppoint.de.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv3 !SSLv2 userdb { driver = passwd } protocol lmtp { mail_plugins = sieve } protocol imap { ssl_cert = </etc/ssl/private/imap.toppoint.de.crt ssl_key = </etc/ssl/private/imap...

I have the following two settings in my "10-ssl.conf" file # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL I have seen different configurations while Googling. I am wondering what the consensus is for the best settings for these two items. What do the developers recommend? Thanks! -- Jerry

...group = postfix mode = 0600 user = postfix } } service pop3-login { inet_listener pop3s { port = 995 ssl = yes } } ssl = required ssl_ca = </etc/ssl/certs/StartCom_Certification_Authority.pem ssl_cert = </etc/apache2/ssl.crt/mail.privustech.com_start.crt ssl_dh_parameters_length = 2048 ssl_key = </etc/apache2/ssl.key/mail.privustech.com.key ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n driver = static } verbose_ssl = yes protocol lda { deliver_l...

...al_use = \Sent } mailbox Spam { autoexpunge = 30 days special_use = \Junk } mailbox Trash { autoexpunge = 30 days special_use = \Trash } prefix = separator = / } passdb { driver = pam } pop3_uidl_format = %08Xv%08Xu ssl_cert = # REDACTED ssl_cipher_list = # REDACTED ssl_dh_parameters_length = # REDACTED ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { driver = passwd } --- Amir

...ertions(+), 2 deletions(-) diff --git a/doc/example-config/conf.d/10-ssl.conf b/doc/example-config/conf.d/10-ssl.conf index 31b750c..2cd445b 100644 --- a/doc/example-config/conf.d/10-ssl.conf +++ b/doc/example-config/conf.d/10-ssl.conf @@ -46,7 +46,7 @@ ssl_key = </etc/ssl/private/dovecot.pem #ssl_dh_parameters_length = 1024 # SSL protocols to use -#ssl_protocols = !SSLv2 +#ssl_protocols = !SSLv3 # SSL ciphers to use #ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c index 4a05045..6b43f6c 100644 --- a/src...

...-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes (Dovecot 2.2.6 or greater) DH parameters #regenerates every week ssl_dh_parameters_length = 2048 Contrary to what the site recommends, I would have thought that changes should be made in the "10-ssl.conf" file. I am running "Dovecot 2.2.28" on a FreeBSD-11 machine with OpenSSL 1.0.2k, if that makes any difference. Thanks -- Jerry