search for: ssl_parameters_regenerate

...eration completed Note that this is not the DH parameter generation; that completed on the first run, as documented. This is impacting other processes on the machine, and it seems a bit of a radical change. Is the internal default meant to be this short...? I'm going to attempt to set "ssl_parameters_regenerate" explicitly, but I'd like to stick with builtin defaults wherever possible. (Perhaps this regeneration could also be made a little friendlier on the machine, by forking and using setpriority() to lower the CPU demand of this work from the default nice level of the main daemon.) -- -- To...

...uldn't take more than a few seconds, but with older computers it can take as long as half an hour. The extra security gained by the regeneration is quite small, so with slower computers, for Dovecot versions prior to v2.2, you might want to disable it If I discover the default-value of ssl_parameters_regenerate I receive: # doveconf -d ssl_parameters_regenerate ssl_parameters_regenerate = 0 In your doku you wrote, that dovecot will regenerate every week. :/ ? I set it to "1 hours" and watch if /var/lib/dovecot/ssl-parameters.dat is build every hour, but nothing happens. ssl-parameters.dat i...

...e: >> https://weakdh.org/sysadmin.html >> >> includes altering DH parameters length to 2048, and re-specifying the >> allowable cipher suites - they give their suggestion. > > It looks like there is an error on this page regarding regeneration. In > current dovecots ssl_parameters_regenerate defaults to zero, and this > means regeneration is disabled. The old default was 168 hours (1 week). > The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is > confusing and could be understood to mean that the current default is > one week. > To enable regeneration you...

List, good afternoon, I was reading up on a TLS Diffie Hellman protocol weakness described here https://weakdh.org/sysadmin.html which is similar to the earlier FREAK attack, and can result in downgrade of cipher suites. Part of the solution workaround that the researchers describe for Dovecot here https://weakdh.org/sysadmin.html includes altering DH parameters length to 2048, and

...;>>> >>>> includes altering DH parameters length to 2048, and re-specifying the >>>> allowable cipher suites - they give their suggestion. >>> >>> It looks like there is an error on this page regarding regeneration. In >>> current dovecots ssl_parameters_regenerate defaults to zero, and this >>> means regeneration is disabled. The old default was 168 hours (1 week). >>> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is >>> confusing and could be understood to mean that the current default is >>> one week....

A. Schulze writes: > precomputing ssl-params is also possible without patching but it's a > little bit tricky > ... > Long version in german: https://andreasschulze.de/dovecot/ssl-params Nice. (You should probably point out to ensure ssl_parameters_regenerate is zero, otherwise all this work will get wiped out!) Joseph Tam <jtam.home at gmail.com>

...op3-login { | inet_listener pop3 { | port = 110 | } | inet_listener pop3s { | port = 995 | ssl = yes | } | } | service pop3 { | process_limit = 1024 | } | ssl_cert = </usr/local/etc/c64.shuttle.de.CRT | ssl_key = </usr/local/etc/c64.shuttle.de-dovecot.KEY | ssl_parameters_regenerate = 1 hours | userdb { | driver = passwd | } | verbose_proctitle = yes | protocol lmtp { | mail_plugins = notify quota fts fts_squat | } | protocol lda { | mail_plugins = notify quota fts fts_squat | } | protocol imap { | imap_client_workarounds = delay-newmail tb-extra-mailbox-se...

...xclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > > Yes to both. If you need to support older clients: > > ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH > ssl_dh_parameters_length = 2048 > ssl_parameters_regenerate = 0 > ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 But why does ssl_protocols behave differently depending on if $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? It seems that if ssl_cipher_list is defined, ssl_protocols = !SSLv2 !SSLv3 results in TLS1.2 bei...

...:37 AM, Ron Leach wrote: > > https://weakdh.org/sysadmin.html > > includes altering DH parameters length to 2048, and re-specifying the > allowable cipher suites - they give their suggestion. It looks like there is an error on this page regarding regeneration. In current dovecots ssl_parameters_regenerate defaults to zero, and this means regeneration is disabled. The old default was 168 hours (1 week). The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is confusing and could be understood to mean that the current default is one week. To enable regeneration you can manually set: ssl...

...dh.org/sysadmin.html >>> >>> includes altering DH parameters length to 2048, and re-specifying the >>> allowable cipher suites - they give their suggestion. >> >> It looks like there is an error on this page regarding regeneration. In >> current dovecots ssl_parameters_regenerate defaults to zero, and this >> means regeneration is disabled. The old default was 168 hours (1 week). >> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is >> confusing and could be understood to mean that the current default is >> one week. >> To ena...

On 27/05/2015 05:22, Gedalya wrote: > It looks like there is an error on this page regarding regeneration. > In current dovecots ssl_parameters_regenerate defaults to zero, and > this means regeneration is disabled. The old default was 168 hours (1 > week). > The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is > confusing and could be understood to mean that the current default is > one week. I'd read that dovecot...

Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!LOW however, doing this seems to make v3 still work unless I

...ey exchange, http://weakdh.org/ I increased ssl_dh_parameters_length to 2048 bits, and found waited for 5+ minutes for dovecot to come back online after a restart. Unless you got a fast machine, the initialization of DH parameters can exceed your patience. Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if Dovecot uses old parameters until regeneration finishes), but for cold starts, the server can be tied up for a few minutes creating DH parameters while clients queue up. I ran "openssl dhparam 2048" and got wildly varying run times of 1m45s, 11m56s, 0.4s, 2m19s, 3h23s. Most of t...

...gt;>>> easy to parse and avoiding duplicative or deprecated configs? >>> >>> Yes to both. If you need to support older clients: >>> >>> ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH >>> ssl_dh_parameters_length = 2048 >>> ssl_parameters_regenerate = 0 >>> ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 >> >> But why does ssl_protocols behave differently depending on if >> $ssl_cipher_list is defined? Shouldn't !SSLv2 and !SSLv3 be sufficient? >> >> It seems that if ssl_cipher_list is defined, &g...

...;s sane)? > Is there a way to exclude these ciphers, while still keeping my config > easy to parse and avoiding duplicative or deprecated configs? Yes to both. If you need to support older clients: ssl_cipher_list = HIGH:!RC4:!MD5:!SRP:!PSK:!aNULL:@STRENGTH ssl_dh_parameters_length = 2048 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 If your userbase is limited to current clients and OSes, you can take it a bit further: ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!3DES:!aNULL:@STRENGTH ssl_dh_parameters_length = 4096 ssl_parameters_regenerate = 0 ssl_protocols = !SSLv2 !SSL...

...ssword read My dovecot.conf has the following set. # Uncomment these if using SSL ssl_cert_file = /etc/ssl/mailserver/mail.mydomain.tld.crt ssl_key_file = /etc/ssl/mailserver/mail.mydomain.tld.key #ssl_key_password = #ssl_ca_file = /etc/ssl/mailserver/ca/mydomain.pem #ssl_verify_client_cert = yes ssl_parameters_regenerate = 168 verbose_ssl = no I have been playing about with it all for about 3 hours now and would greatly appreciate any help ;) Regards Adam -------------------------------------------------------------------- myhosting.com - Premium Microsoft? Windows? and Linux web and application hosting - http:...

...mail:~# cat /etc/dovecot/dovecot.conf | grep ssl # --with-ssldir=/etc/ssl #ssl_listen = #ssl_disable = no #ssl_cert_file = /etc/ssl/certs/dovecot.pem #ssl_key_file = /etc/ssl/private/dovecot.pem #ssl_ca_file = #ssl_verify_client_cert = no #ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat #ssl_parameters_regenerate = 24 #ssl_cipher_list = all:!LOW #verbose_ssl = no #ssl_require_client_cert = no mail:~# I tried on the command line # dovecot -F -c dovecot.conf my version is: mail:~# dovecot --version 1.0.alpha3 mail:~# Would anyone perhaps know why I cant get the daemon started. Kind Regards Brent Clark

Hi, I use dovecot (pop) with gentoo but it's not securize. I would like to use pops but i don't how to do this. I think i have to use certificates... This my dovecot.conf : protocols = imap imaps pop3 pop3s imap_listen = * pop3_listen = * imaps_listen = * pop3s_listen = * ssl_disable = no login = imap login = pop3 default_mail_env = maildir:%h/.maildir mbox_locks = fcntl dotlock auth =

...2.6.9-42.ELsmp i686 Red Hat Enterprise Linux ES release 4 (Nahant Update 8) ext3 base_dir: /var/run/dovecot syslog_facility: local0 protocols: imap listen: xxx.yyy.zzz.aaa ssl_ca_file: /etc/pki/ca.crt.crl ssl_cert_file: /etc/pki/private/ssl.crt.key.pem ssl_key_file: /etc/pki/private/ssl.crt.key.pem ssl_parameters_regenerate: 29 login_dir: /var/run/dovecot/login login_executable: /usr/libexec/dovecot/imap-login mail_location: maildir:/home/vmail/%d/%n/Mail auth default: user: squab username_chars: abcdefghijklmnopqrstuvwxyz01234567890.-_@ username_format: %Lu passdb: driver: sql args: /etc/dovecot/sql....

...-n': > > # 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.13 (7b14904) > doveconf: Warning: NOTE: You can get a new clean config file with: > doveconf -n > dovecot-new.conf > doveconf: Warning: Obsolete setting in /etc/dovecot/local.conf:21: > ssl_parameters_regenerate should have 'hours' suffix > # OS: Linux 4.4.0-124-generic x86_64 Ubuntu 16.04.3 LTS > auth_mechanisms = plain login > disable_plaintext_auth = no > first_valid_uid = 8 > imap_idle_notify_interval = 5 mins > last_valid_uid = 8 > listen = 5.9.48.194, 2a01:4f8:161:40c9::2...