similar to: Major CPU spike for SSL parameters?

Quoting Gedalya <gedalya at gedalya.net>: > On 05/26/2015 10:37 AM, Ron Leach wrote: >> https://weakdh.org/sysadmin.html >> >> includes altering DH parameters length to 2048, and re-specifying the >> allowable cipher suites - they give their suggestion. > > It looks like there is an error on this page regarding regeneration. In > current dovecots

Quoting Gedalya <gedalya at gedalya.net>: > On 05/27/2015 09:55 AM, Rick Romero wrote: >> Quoting Gedalya <gedalya at gedalya.net>: >> >>> On 05/26/2015 10:37 AM, Ron Leach wrote: >>>> https://weakdh.org/sysadmin.html >>>> >>>> includes altering DH parameters length to 2048, and re-specifying the >>>> allowable

Hello, after switching from version 2.2.7 to 2.2.7 I miss the loglines which say: ssl-params: Generating SSL parameters ssl-params: SSL parameters regeneration completed The configuration has not been changed and reads: | # 2.2.7: /usr/local/dovecot/etc/dovecot/dovecot.conf | # OS: Linux 2.6.35.14-106.fc14.i686.PAE i686 Fedora release 14 (Laughlin) ext3 | auth_mechanisms = plain login |

List, good afternoon, I was reading up on a TLS Diffie Hellman protocol weakness described here https://weakdh.org/sysadmin.html which is similar to the earlier FREAK attack, and can result in downgrade of cipher suites. Part of the solution workaround that the researchers describe for Dovecot here https://weakdh.org/sysadmin.html includes altering DH parameters length to 2048, and

Based on the recent found weaknesses in DH key exchange, http://weakdh.org/ I increased ssl_dh_parameters_length to 2048 bits, and found waited for 5+ minutes for dovecot to come back online after a restart. Unless you got a fast machine, the initialization of DH parameters can exceed your patience. Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if Dovecot uses old

Nightly 20050829 (includes everything currently in nightly/ChangeLog): Sep 1 09:25:02 server dovecot: imap-login: Login: user=<tv>, method=PLAIN, rip=192.168.1.1, lip=192.168.1.3, TLS Sep 1 09:25:02 server dovecot: IMAP(tv): Maildir /home/tv/.maildir sync: UID < next_uid (1187 < 1188, file = 1125581033.7788_2.server.duh.org:2,) repeated every time I try to login. I had to nuke the

Hi, I use dovecot (pop) with gentoo but it's not securize. I would like to use pops but i don't how to do this. I think i have to use certificates... This my dovecot.conf : protocols = imap imaps pop3 pop3s imap_listen = * pop3_listen = * imaps_listen = * pop3s_listen = * ssl_disable = no login = imap login = pop3 default_mail_env = maildir:%h/.maildir mbox_locks = fcntl dotlock auth =

hello trying to install dovecot 2 on a fresh installed machine I get this error message : doveconf -n > dovecot-new.conf doveconf: Error: ssl enabled, but ssl_cert not set doveconf: Fatal: Error in configuration file /usr/local/etc/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set the ssl config file look like the following : Thanks for any info. ## ## SSL settings ## # SSL/TLS

I've just noticed that Dovecot 1.0-stable and 1.0-test78 don't include mbox folders with names beginning with "." in the IMAP LIST output. These are often used to store "hidden" folders for storing things like IMAP client configuration (e.g. Pine 4.x, IMHO, Prayer). Usually the user shouldn't be able to see these, but there are occassions when they might. It seems

On 27/05/2015 05:22, Gedalya wrote: > It looks like there is an error on this page regarding regeneration. > In current dovecots ssl_parameters_regenerate defaults to zero, and > this means regeneration is disabled. The old default was 168 hours (1 > week). > The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is > confusing and could be understood to mean that the

http://dovecot.org/releases/dovecot-1.0.rc18.tar.gz http://dovecot.org/releases/dovecot-1.0.rc18.tar.gz.sig I think we're quite near v1.0 now. * ACL plugin + Maildir: Moved dovecot-acl file from control directory to maildir. To prevent accidents caused by this change, Dovecot kills itself if it finds dovecot-acl file from the control directory. * When opening a maildir, check if

http://dovecot.org/releases/dovecot-1.0.rc18.tar.gz http://dovecot.org/releases/dovecot-1.0.rc18.tar.gz.sig I think we're quite near v1.0 now. * ACL plugin + Maildir: Moved dovecot-acl file from control directory to maildir. To prevent accidents caused by this change, Dovecot kills itself if it finds dovecot-acl file from the control directory. * When opening a maildir, check if

After months of testing in the "work in progress" pkgsrc-wip playground, dovecot-1.0b2 is now in the main pkgsrc mainline and will be tracked up through the 1.0 release and beyond. This means it's now much easier to get Dovecot 1.0 up and running on NetBSD and any other platform supported by pkgsrc (see www.pkgsrc.org); prior to this, 0.99.x was the newest available. Binary

A. Schulze writes: > precomputing ssl-params is also possible without patching but it's a > little bit tricky > ... > Long version in german: https://andreasschulze.de/dovecot/ssl-params Nice. (You should probably point out to ensure ssl_parameters_regenerate is zero, otherwise all this work will get wiped out!) Joseph Tam <jtam.home at gmail.com>

Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!LOW however, doing this seems to make v3 still work unless I

On 05/27/2015 09:55 AM, Rick Romero wrote: > Quoting Gedalya <gedalya at gedalya.net>: > >> On 05/26/2015 10:37 AM, Ron Leach wrote: >>> https://weakdh.org/sysadmin.html >>> >>> includes altering DH parameters length to 2048, and re-specifying the >>> allowable cipher suites - they give their suggestion. >> >> It looks like there

On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > >

On 05/26/2015 10:37 AM, Ron Leach wrote: > > https://weakdh.org/sysadmin.html > > includes altering DH parameters length to 2048, and re-specifying the > allowable cipher suites - they give their suggestion. It looks like there is an error on this page regarding regeneration. In current dovecots ssl_parameters_regenerate defaults to zero, and this means regeneration is

Client: Bynari Insight Connector 3.0.5. (http://www.bynari.net/) This is an IMAP-based plugin for Outlook that can also store Outlook collaboration objects (calendar, tasks, notes, etc.) in IMAP messages on the server side. It does not require special server extensions, and it was actually (mostly) working with 1.0-stable. Below is a rawlog dump showing what is going back and forth. After

HI Timo, On http://wiki2.dovecot.org/SSL/DovecotConfiguration I read in chapter SSL security settings: When Dovecot starts up for the first time, it generates new 512bit and 1024bit Diffie Hellman parameters and saves them into <prefix>/var/lib/dovecot/ssl-parameters.dat. After the initial creation they're by default regenerated every week. With newer computers the generation