search for: ssl_min_protocol

What are the possible settings for ssl_min_protocol? I only see it on the upgrade page where it mentions the default is TLSv1. Searching on the dovecot page gives me "Your search query "ssl_min_protocol" didn't return any results." -- Up the airy mountains, down the rushy glen... From ghosties and bogles and long-leggity...

Good $daytime, as per the recommendations of Mozilla?s SSL config generator[0], I wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This produced the error: imap-login: Error: Failed to initialize SSL server context: Unknown ssl_min_protocol setting 'TLSv1.3' After some digging, I found the function that parses this setting in src/lib-ssl-iostream/iostream-openssl-common.c (openssl_m...

...ie hellman parameters file. I never set up ssl-parameters.dat before (should i have? do I have one that was automatically made for me by dovecot?) Do I need to make a fresh dh.pem? The upgrade doc tells how to convert ssl-parameters.dat but how to make a new one? other question is if I copy ssl_min_protocol from example config into my existing config is that enough? do experts on this list recommend any tweaks that increase client requirements more than dovecot developers are comfortable with but will ensure more secure protocol usage? ------------------------------------------------- ONLY...

...TLS 1.3 only, but that does not seem to be supported. First off, TLS 1.3 itself does work fine, so it's not the config or ssl library, and 1.3-only works fine with Postfix. The problem is only in disabling TLS 1.2 for Dovecot. On connection, I'm getting an error that 1.3 is an "Unknown ssl_min_protocol setting". Reading the source code, it seems that `openssl_min_protocol_to_options` in `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an entry like { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 } Is this a bug,...

...with the instructions given, or you can make a fresh one using openssl gendh 4096 > dh.pem Note that this will require quite a lot of entropy, so you should probably ensure that you run it on a laptop or with virtual machine that has some entropy source/helper. > other question is if I copy ssl_min_protocol from example config into > my existing config is that enough? do experts on this list recommend > any tweaks that increase client requirements more than dovecot > developers are comfortable with but will ensure more secure protocol > usage? > ssl_min_protocols defines the m...

> On 13/04/2020 12:35 Thomas Schneider <qsx at chaotikum.eu> wrote: > > > Good $daytime, > > as per the recommendations of Mozilla?s SSL config generator[0], I > wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This > produced the error: > > imap-login: Error: Failed to initialize SSL server context: Unknown > ssl_min_protocol setting 'TLSv1.3' > > After some digging, I found the function that parses this setting in > src/lib-ssl-iostream/i...

Hello! Benny Pedersen <me at junc.eu> schrieb am 18.07.20 um 13:04:37 Uhr: > ratatouille skrev den 2020-07-18 12:33: > > ssl_min_protocol = TLSv1.2 > > ssl_cipher_list = PROFILE=SYSTEM > > ssl_prefer_server_ciphers = yes > > comment this lines, then i belive k9 works > > if it still does not, then drop k9 mail Commenting just ssl_min_protocol = TLSv1.2 seems to solve the problem. So I have the default ssl...

...es not seem to be supported. > First off, TLS 1.3 itself does work fine, so it's not the config or > ssl library, and 1.3-only works fine with Postfix. The problem is only > in disabling TLS 1.2 for Dovecot. > On connection, I'm getting an error that 1.3 is an "Unknown > ssl_min_protocol setting". > Reading the source code, it seems that > `openssl_min_protocol_to_options` in > `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an > entry like > > { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | > SSL_OP_NO_TLSv1_1 | S...

Thanks Joseph, Aki, but something missing from upgrade document, where does the dh param file go? I located ssl-parameters.dat so I will put it there. Quoting Joseph Tam <jtam.home at gmail.com>: > On Fri, 22 Jun 2018, Joseph Tam wrote: > >> However, recent advances make this condition obsolete [*] and not >> really safer, so a much faster way to generate a DH key is

...anyone with Windows7 clients be able to provide me with the EXACT set of ssl_* settings that should work with W7 please? I tried for a week with various combinations but nothing worked short of disabling SSL altogether. These are the remnants of some attempts... # 20200531 suggested by Aki Tuomi #ssl_min_protocol = TLSv1.0 #ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL # https://ssl-config.mozilla.org OLD # openssl dhparam -dsaparam 1024 > /etc/dovecot/dh.pem ssl_prefer_server_ciphers = yes #ssl_min_protocol = TLSv1 #ssl_cipher_list = ECDHE-ECDSA**** # https://ssl-config.mozilla.org MEDIUM # openssl dhpara...

18.07.2020, 14:30, Benny Pedersen <me at junc.eu>ratatouille skrev den 2020-07-18 13:20: > Commenting just ssl_min_protocol = TLSv1.2 seems to solve the problem. > So I have the default ssl_min_protocol = TLSv1 with means that the device running k9 is not supporting TLS 1.2 yet TLS 1.2 is enabled by default in Android versions 5.0 and newer. For earlier Android versions, K9 has (or used to have) a setting to &q...

...r 1: # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/conf.d/10-ssl.conf:51: ssl_protocols has been replaced by ssl_min_protocol doveconf: Error: Could not find a minimum ssl_min_protocol setting from ssl_protocols = !SSLv2 !SSLv3: Unrecognized protocol 'SSLv2' doveconf: Warning: NOTE: You can get a new clean config file with: doveconf -Pn > dovecot-new.conf doveconf: Warning: Obsolete setting in /etc/dovecot/c...

On Fri, 22 Jun 2018, Joseph Tam wrote: > However, recent advances make this condition obsolete [*] and not > really safer, so a much faster way to generate a DH key is > > openssl dhparam -dsaparam -out dh.pem 4096 > > DH generation is a one time operation, so if you're paranoid and you've > got time to burn, go ahead and generate the "safe" DH key. >

...ror: SSL_accept() syscall failed: Invalid argument Tried different settings without luck. grep -v '^#' 10-ssl.conf ssl = yes ssl_cert = </etc/letsencrypt/live/smtp.dualbit.de/fullchain.pem ssl_key = </etc/letsencrypt/live/smtp.dualbit.de/privkey.pem ssl_dh = </etc/dovecot/dh.pem ssl_min_protocol = TLSv1.2 ssl_cipher_list = PROFILE=SYSTEM ssl_prefer_server_ciphers = yes Can somebody help solving this? Kind regards Andreas

On Fri, 22 Jun 2018, Aki Tuomi wrote: >> Do I need to make a fresh dh.pem? The upgrade doc tells how to convert >> ssl-parameters.dat but how to make a new one? > > ... or you can make a fresh one using openssl > gendh 4096 > dh.pem This also works openssl dhparam -out dh.pem 4096 > Note that this will require quite a lot of entropy, so you should > probably

...is currently... ssl_ca = </etc/ssl/certs/ca-certificates.crt ssl_cert = </etc/ssl/example.com/fullchain.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_options = no_compression no_ticket ssl_prefer_server_ciphers = yes I have commented out ssl_cipher_list, ssl_min_protocol and others to get back to whatever the defaults are so I am not simply guessing what the optimal settings would be to cover Win7 and up. Yes I know Win7 is no longer supported but that does not help the 100s of older users I have that can't/won't upgrade their computers.

Am 17.08.20 um 12:16 schrieb Aki Tuomi: > You need to set > > ssl_min_protocol = TLSv1.2 # or TLSv1 Thanks, tried both, but unsuccessfully. Again, is there any debug setting that allows me to see what SSL version was requested? Without this, this is fumbling in the dark. Cheers, Johannes -------------- next part -------------- A non-text attachment was scrubbed... Name:...

...openSUSE Leap 42.3. But we upgraded openSUSE to Leap 15.0. In the process, Dovecot got upgraded from 2.2 to 2.3.1. It no longer works and I haven't figured out how to downgrade to the older working version. The key issue seems to be the change to requiring dh.pem and changing s sl_protocols to ssl_min_protocols.?I think I've navigated both correctly, but it still doesn't work. The error is auth: Error: stats: open(old-stats-user) failed: Permission denied as a consequence of which we get imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate:...

We recently upgraded from dovecot 2.2 to 2.3.7.1-1 Not many, but some users are experiencing difficulties. The dovecot directors log: Aug 21 14:28:49 director01 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=redacted, lip=10.0.0.120, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher,

On Tue Jul 07 2020 02:07:08 GMT-0400 (Eastern Standard Time), Mark Constable <markc at renta.net> wrote: > FWIW I meant if the client is Windows7/old-Outlook then changing either > 993/SSL or 143/STARTTLS to 143/NONE could help pick up the mail. We had > to do this for a 100 or so clients a few months ago after upgrading to > Ubuntu 20.04. Really, really bad idea. You just