Displaying 20 results from an estimated 205 matches for "ssl_parameters_regenerate".
2006 Jan 18
6
Major CPU spike for SSL parameters?
...eration completed
Note that this is not the DH parameter generation; that completed on the
first run, as documented.
This is impacting other processes on the machine, and it seems a bit of a
radical change. Is the internal default meant to be this short...? I'm
going to attempt to set "ssl_parameters_regenerate" explicitly, but I'd like
to stick with builtin defaults wherever possible.
(Perhaps this regeneration could also be made a little friendlier on the
machine, by forking and using setpriority() to lower the CPU demand of this
work from the default nice level of the main daemon.)
--
-- To...
2015 May 22
0
dovecot 2.2.18 and ssl_parameters_regenerate
...uldn't take more than a few seconds, but
with older computers it can take as long as half an hour. The extra
security gained by the regeneration is quite small, so with slower
computers, for Dovecot versions prior to v2.2, you might want to
disable it
If I discover the default-value of ssl_parameters_regenerate I receive:
# doveconf -d ssl_parameters_regenerate
ssl_parameters_regenerate = 0
In your doku you wrote, that dovecot will regenerate every week. :/ ?
I set it to "1 hours" and watch if /var/lib/dovecot/ssl-parameters.dat
is build every hour, but nothing happens. ssl-parameters.dat i...
2015 May 27
2
FREAK/Logjam, and SSL protocols to use
...e:
>> https://weakdh.org/sysadmin.html
>>
>> includes altering DH parameters length to 2048, and re-specifying the
>> allowable cipher suites - they give their suggestion.
>
> It looks like there is an error on this page regarding regeneration. In
> current dovecots ssl_parameters_regenerate defaults to zero, and this
> means regeneration is disabled. The old default was 168 hours (1 week).
> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is
> confusing and could be understood to mean that the current default is
> one week.
> To enable regeneration you...
2015 May 26
6
FREAK/Logjam, and SSL protocols to use
List, good afternoon,
I was reading up on a TLS Diffie Hellman protocol weakness described here
https://weakdh.org/sysadmin.html
which is similar to the earlier FREAK attack, and can result in
downgrade of cipher suites.
Part of the solution workaround that the researchers describe for
Dovecot here
https://weakdh.org/sysadmin.html
includes altering DH parameters length to 2048, and
2015 May 27
1
FREAK/Logjam, and SSL protocols to use
...;>>>
>>>> includes altering DH parameters length to 2048, and re-specifying the
>>>> allowable cipher suites - they give their suggestion.
>>>
>>> It looks like there is an error on this page regarding regeneration. In
>>> current dovecots ssl_parameters_regenerate defaults to zero, and this
>>> means regeneration is disabled. The old default was 168 hours (1 week).
>>> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is
>>> confusing and could be understood to mean that the current default is
>>> one week....
2015 Nov 04
1
ssl-params: slow startup (patch for consideration)
A. Schulze writes:
> precomputing ssl-params is also possible without patching but it's a
> little bit tricky
> ...
> Long version in german: https://andreasschulze.de/dovecot/ssl-params
Nice.
(You should probably point out to ensure ssl_parameters_regenerate is
zero, otherwise all this work will get wiped out!)
Joseph Tam <jtam.home at gmail.com>
2013 Nov 05
2
ssl-params regeneration with dovecot 2.2.7
...op3-login {
| inet_listener pop3 {
| port = 110
| }
| inet_listener pop3s {
| port = 995
| ssl = yes
| }
| }
| service pop3 {
| process_limit = 1024
| }
| ssl_cert = </usr/local/etc/c64.shuttle.de.CRT
| ssl_key = </usr/local/etc/c64.shuttle.de-dovecot.KEY
| ssl_parameters_regenerate = 1 hours
| userdb {
| driver = passwd
| }
| verbose_proctitle = yes
| protocol lmtp {
| mail_plugins = notify quota fts fts_squat
| }
| protocol lda {
| mail_plugins = notify quota fts fts_squat
| }
| protocol imap {
| imap_client_workarounds = delay-newmail tb-extra-mailbox-se...
2014 Dec 02
4
disabling certain ciphers
...xclude these ciphers, while still keeping my config
> > easy to parse and avoiding duplicative or deprecated configs?
>
> Yes to both. If you need to support older clients:
>
> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
> ssl_dh_parameters_length = 2048
> ssl_parameters_regenerate = 0
> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
But why does ssl_protocols behave differently depending on if
$ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
It seems that if ssl_cipher_list is defined,
ssl_protocols = !SSLv2 !SSLv3
results in TLS1.2 bei...
2015 May 27
0
FREAK/Logjam, and SSL protocols to use
...:37 AM, Ron Leach wrote:
>
> https://weakdh.org/sysadmin.html
>
> includes altering DH parameters length to 2048, and re-specifying the
> allowable cipher suites - they give their suggestion.
It looks like there is an error on this page regarding regeneration. In
current dovecots ssl_parameters_regenerate defaults to zero, and this
means regeneration is disabled. The old default was 168 hours (1 week).
The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is
confusing and could be understood to mean that the current default is
one week.
To enable regeneration you can manually set:
ssl...
2015 May 27
0
FREAK/Logjam, and SSL protocols to use
...dh.org/sysadmin.html
>>>
>>> includes altering DH parameters length to 2048, and re-specifying the
>>> allowable cipher suites - they give their suggestion.
>>
>> It looks like there is an error on this page regarding regeneration. In
>> current dovecots ssl_parameters_regenerate defaults to zero, and this
>> means regeneration is disabled. The old default was 168 hours (1 week).
>> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is
>> confusing and could be understood to mean that the current default is
>> one week.
>> To ena...
2015 May 27
1
FREAK/Logjam, and SSL protocols to use
On 27/05/2015 05:22, Gedalya wrote:
> It looks like there is an error on this page regarding regeneration.
> In current dovecots ssl_parameters_regenerate defaults to zero, and
> this means regeneration is disabled. The old default was 168 hours (1
> week).
> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is
> confusing and could be understood to mean that the current default is
> one week.
I'd read that dovecot...
2014 Dec 02
2
disabling certain ciphers
Can you use both ssl_protocols *and* ssl_cipher_list in the same config
(in a way that's sane)?
ssl_protocols (>= 2.1)
and
ssl_cipher_list
co-exist, or are they mutually exclusive?
I have a Dovecot 2.2.13 system, and I tried setting:
I also tried things like
ssl_cipher_list = HIGH
or
ssl_cipher_list = HIGH:!MEDIUM:!LOW
however, doing this seems to make v3 still work unless I
2015 Nov 04
1
ssl-params: slow startup (patch for consideration)
...ey exchange,
http://weakdh.org/
I increased ssl_dh_parameters_length to 2048 bits, and found waited
for 5+ minutes for dovecot to come back online after a restart.
Unless you got a fast machine, the initialization of DH parameters can
exceed your patience.
Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if
Dovecot uses old parameters until regeneration finishes), but for cold
starts, the server can be tied up for a few minutes creating DH parameters
while clients queue up.
I ran "openssl dhparam 2048" and got wildly varying run times of 1m45s,
11m56s, 0.4s, 2m19s, 3h23s. Most of t...
2014 Dec 02
2
disabling certain ciphers
...gt;>>> easy to parse and avoiding duplicative or deprecated configs?
>>>
>>> Yes to both. If you need to support older clients:
>>>
>>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
>>> ssl_dh_parameters_length = 2048
>>> ssl_parameters_regenerate = 0
>>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
>>
>> But why does ssl_protocols behave differently depending on if
>> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient?
>>
>> It seems that if ssl_cipher_list is defined,
&g...
2014 Dec 02
0
disabling certain ciphers
...;s sane)?
> Is there a way to exclude these ciphers, while still keeping my config
> easy to parse and avoiding duplicative or deprecated configs?
Yes to both. If you need to support older clients:
ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH
ssl_dh_parameters_length = 2048
ssl_parameters_regenerate = 0
ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
If your userbase is limited to current clients and OSes, you can take it
a bit further:
ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!3DES:!aNULL:@STRENGTH
ssl_dh_parameters_length = 4096
ssl_parameters_regenerate = 0
ssl_protocols = !SSLv2 !SSL...
2008 Mar 07
1
Can't load private key file
...ssword read
My dovecot.conf has the following set.
# Uncomment these if using SSL
ssl_cert_file = /etc/ssl/mailserver/mail.mydomain.tld.crt
ssl_key_file = /etc/ssl/mailserver/mail.mydomain.tld.key
#ssl_key_password =
#ssl_ca_file = /etc/ssl/mailserver/ca/mydomain.pem
#ssl_verify_client_cert = yes
ssl_parameters_regenerate = 168
verbose_ssl = no
I have been playing about with it all for about 3 hours now and would
greatly appreciate any help ;)
Regards
Adam
--------------------------------------------------------------------
myhosting.com - Premium Microsoft? Windows? and Linux web and application
hosting - http:...
2005 Oct 24
2
debian dovecot upgrade
...mail:~# cat /etc/dovecot/dovecot.conf | grep ssl
# --with-ssldir=/etc/ssl
#ssl_listen =
#ssl_disable = no
#ssl_cert_file = /etc/ssl/certs/dovecot.pem
#ssl_key_file = /etc/ssl/private/dovecot.pem
#ssl_ca_file =
#ssl_verify_client_cert = no
#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
#ssl_parameters_regenerate = 24
#ssl_cipher_list = all:!LOW
#verbose_ssl = no
#ssl_require_client_cert = no
mail:~#
I tried on the command line
# dovecot -F -c dovecot.conf
my version is:
mail:~# dovecot --version
1.0.alpha3
mail:~#
Would anyone perhaps know why I cant get the daemon started.
Kind Regards
Brent Clark
2006 Jan 27
2
How to make pops
Hi,
I use dovecot (pop) with gentoo but it's not securize.
I would like to use pops but i don't how to do this.
I think i have to use certificates...
This my dovecot.conf :
protocols = imap imaps pop3 pop3s
imap_listen = *
pop3_listen = *
imaps_listen = *
pop3s_listen = *
ssl_disable = no
login = imap
login = pop3
default_mail_env = maildir:%h/.maildir
mbox_locks = fcntl dotlock
auth =
2010 Sep 09
2
using palm pre client with imap server
...2.6.9-42.ELsmp i686 Red Hat Enterprise Linux ES release 4
(Nahant Update 8) ext3
base_dir: /var/run/dovecot
syslog_facility: local0
protocols: imap
listen: xxx.yyy.zzz.aaa
ssl_ca_file: /etc/pki/ca.crt.crl
ssl_cert_file: /etc/pki/private/ssl.crt.key.pem
ssl_key_file: /etc/pki/private/ssl.crt.key.pem
ssl_parameters_regenerate: 29
login_dir: /var/run/dovecot/login
login_executable: /usr/libexec/dovecot/imap-login
mail_location: maildir:/home/vmail/%d/%n/Mail
auth default:
user: squab
username_chars: abcdefghijklmnopqrstuvwxyz01234567890.-_@
username_format: %Lu
passdb:
driver: sql
args: /etc/dovecot/sql....
2018 May 20
3
Cannot delete folder
...-n':
>
> # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.13 (7b14904)
> doveconf: Warning: NOTE: You can get a new clean config file with:
> doveconf -n > dovecot-new.conf
> doveconf: Warning: Obsolete setting in /etc/dovecot/local.conf:21:
> ssl_parameters_regenerate should have 'hours' suffix
> # OS: Linux 4.4.0-124-generic x86_64 Ubuntu 16.04.3 LTS
> auth_mechanisms = plain login
> disable_plaintext_auth = no
> first_valid_uid = 8
> imap_idle_notify_interval = 5 mins
> last_valid_uid = 8
> listen = 5.9.48.194, 2a01:4f8:161:40c9::2...