search for: ssl_prefer_server_ciph

Dear all, I tried to do a backport of 'ssl_prefer_server_ciphers' (http://hg.dovecot.org/dovecot-2.2/rev/897484f45a87/) to Dovecot 2.1 (namely the Debian version of Dovecot) and wanted to ask if there is any chance to integrate this feature into Dovecot 2.1 'upstream' as well. As the code structure changed quite a bit, I am not sure if my patch is...

Hi thanks for your help! Trying to set your same parameters, when restarting dovecot, gives the error: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers doveconf: Error: managesieve-login: dump-capability process returned 89 doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 136: Unknown setting: ssl_prefer_server_ciphers [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error in configuration file /etc/...

Am 09.01.2015 um 08:58 schrieb ml at ruggedinbox.com: > Hi thanks for your help! > Trying to set your same parameters, when restarting dovecot, gives the > error: > > doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf > line 136: Unknown setting: ssl_prefer_server_ciphers > doveconf: Error: managesieve-login: dump-capability process returned 89 > doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf > line 136: Unknown setting: ssl_prefer_server_ciphers > [....] Restarting IMAP/POP3 mail server: dovecotdoveconf: Fatal: Error > in c...

Hi all, when hardening dovecot against the POODLE vulnerability, we followed the advise to disable SSL2 and SSL3 but this is giving problems with some email clients (claws-mail). ssl_protocols = !SSLv2 !SSLv3 results in the following error: dovecot: pop3-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL

...but nothing worked short of disabling SSL altogether. These are the remnants of some attempts... # 20200531 suggested by Aki Tuomi #ssl_min_protocol = TLSv1.0 #ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL # https://ssl-config.mozilla.org OLD # openssl dhparam -dsaparam 1024 > /etc/dovecot/dh.pem ssl_prefer_server_ciphers = yes #ssl_min_protocol = TLSv1 #ssl_cipher_list = ECDHE-ECDSA**** # https://ssl-config.mozilla.org MEDIUM # openssl dhparam -dsaparam 2048 > /etc/dovecot/dh.pem #ssl_prefer_server_ciphers = no #ssl_min_protocol = TLSv1.2 #ssl_cipher_list = ECDHE-ECDSA**** ~ dovecot --version 2.3.7.2 (3c910...

...ESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA ssl_prefer_server_ciphers = yes I would really appreciate it if someone could tell me if my config is super secure? I run the following email clients: K9 on Android 4.4.2 Thunderbird 31.4 Outlook 2010 I'm interested to know if the config I have is secure and that my cipher list is acceptable. I'm also keen...

..._length = 1024 #ssl_protocols = !SSLv3 # SSL ciphers to use # ols values ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK: !RC4:!ADH:!LOW at STRENGTH # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # Prefer the server's order of ciphers over client's. #ssl_prefer_server_ciphers = no # SSL crypto device to use, for valid values run "openssl engine" #ssl_crypto_device = # SSL extra options. Currently supported options are: # no_compression - Disable compression. #...

> On 2019-10-28 15:36, Aki Tuomi wrote: > Also, you could try the *default* cipher list (unset ssl_cipher_list), which is reasonable. Also make sure you have 'ssl_prefer_server_ciphers=yes', so that the server-side priority list is used. setting ssl_prefer_server_ciphers=yes did the trick. Now my imap client uses ECDHE-RSA-AES256-SHA many thanks,

...fferent settings without luck. grep -v '^#' 10-ssl.conf ssl = yes ssl_cert = </etc/letsencrypt/live/smtp.dualbit.de/fullchain.pem ssl_key = </etc/letsencrypt/live/smtp.dualbit.de/privkey.pem ssl_dh = </etc/dovecot/dh.pem ssl_min_protocol = TLSv1.2 ssl_cipher_list = PROFILE=SYSTEM ssl_prefer_server_ciphers = yes Can somebody help solving this? Kind regards Andreas

When my client connects, I see this in my log: dovecot: imap-login: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) Whereas, when client connects to my postfix server, I see: Anonymous TLS connection established from * TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) how can I tell dovecot to use AES256, instead of AES128 ? is this set by ssl_cipher_list ? Here are my current

...bot/live/privustech.com/privkey.pem ssl_dh = /etc/dovecot/dh.pem #(yes, it took five hours to create...) ssl_min_protocol = TLSv1 ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH ssl_prefer_server_ciphers = no 3. We have checked 10-ssl.conf against the 2.3 default at https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf 4. We do NOT include the less than (<) symbol before the paths because then dovecot fails to load complaining it cannot find the files. 5. w...

...+ doveadm: Added "auth lookup" command for doing passdb lookup. + login_log_format_elements: Added %{orig_user}, %{orig_username} and %{orig_domain} expanding to the username exactly as sent by the client (before any changes auth process made). + Added ssl_prefer_server_ciphers setting. + auth_verbose_passwords: Log the password also for unknown users. + Linux: Added optional support for SO_REUSEPORT with inet_listener { reuse_port=yes } - director: v2.2.5 changes caused "SYNC lost" errors - dsync: Many fixes and erro...

...+ doveadm: Added "auth lookup" command for doing passdb lookup. + login_log_format_elements: Added %{orig_user}, %{orig_username} and %{orig_domain} expanding to the username exactly as sent by the client (before any changes auth process made). + Added ssl_prefer_server_ciphers setting. + auth_verbose_passwords: Log the password also for unknown users. + Linux: Added optional support for SO_REUSEPORT with inet_listener { reuse_port=yes } - director: v2.2.5 changes caused "SYNC lost" errors - dsync: Many fixes and erro...

According to https://cipherli.st/ > ssl = yes > ssl_cert = </etc/dovecot.cert > ssl_key = </etc/dovecot.key > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = AES128+EECDH:AES128+EDH > ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 > Is what you want. Ok, so I have changed my ssl_cipher_list to: ssl_cipher_list = AES128+EECDH:AES128+EDH Before I made this change clients were connecting with the following cipher in the log file: ECDHE-ECDSA-AES256-SHA (256/256 bits) After the change the lo...

...7 and Outlook16 using "dovecot -n|grep ^ssl_" please ? Mine is currently... ssl_ca = </etc/ssl/certs/ca-certificates.crt ssl_cert = </etc/ssl/example.com/fullchain.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_options = no_compression no_ticket ssl_prefer_server_ciphers = yes I have commented out ssl_cipher_list, ssl_min_protocol and others to get back to whatever the defaults are so I am not simply guessing what the optimal settings would be to cover Win7 and up. Yes I know Win7 is no longer supported but that does not help the 100s of older users I have tha...

...al_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { driver = pam } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } ssl = no ssl_cipher_list = ALL:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH ssl_options = no_compression ssl_prefer_server_ciphers = yes userdb { driver = passwd } -- -- Best Regards, Walter Ulmke

...DH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:ECDHE-RSA-AES256-SHA:+DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!CAMELLIA256-SHA:!AES128:!CAMELLIA128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:+AES256-SHA > > ssl_prefer_server_ciphers = yes > > I would really appreciate it if someone could tell me if my config is > super secure? I run the following email clients: > > K9 on Android 4.4.2 > Thunderbird 31.4 > Outlook 2010 > > I'm interested to know if the config I have is secure and that my cipher...

...om/fullchain.pem ssl_key =</etc/certbot/live/privustech.com/privkey.pem ssl_dh =</etc/dovecot/dh.pem > ssl_min_protocol = TLSv1 > ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH > ssl_prefer_server_ciphers = no > You should set ssl_prefer_server_ciphers = yes. > 3. We have checked 10-ssl.conf against the 2.3 default at > https://github.com/dovecot/core/blob/master/doc/example-config/conf.d/10-ssl.conf > > 4. We do NOT include the less than (<) symbol before the paths bec...

On Tue Jul 07 2020 02:07:08 GMT-0400 (Eastern Standard Time), Mark Constable <markc at renta.net> wrote: > FWIW I meant if the client is Windows7/old-Outlook then changing either > 993/SSL or 143/STARTTLS to 143/NONE could help pick up the mail. We had > to do this for a 100 or so clients a few months ago after upgrading to > Ubuntu 20.04. Really, really bad idea. You just

...1 unix_listener replicator-doveadm { mode = 0600 user = vmail } } ssl = required ssl_cert = </etc/letsencrypt/live/mail2.pattinson.org/fullchain.pem ssl_cipher_list = PROFILE=SYSTEM ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes userdb { args = username_format=%u /etc/dovecot/users default_fields = uid=vmail gid=mail home=/srv/vmail/%u driver = passwd-file } protocol lmtp { mail_plugins = sieve } protocol lda { mail_plugins = notify replication sieve } HOST B # 2.3.8 (9df20d2db): /etc/dovecot/dovecot.c...