similar to: disabling certain ciphers

On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > >

On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a

On Tue, Dec 02, 2014 at 08:34:50AM -0800, Darren Pilgrim wrote: > On 12/1/2014 9:44 PM, Will Yardley wrote: > > On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > >> On 12/1/2014 4:43 PM, Will Yardley wrote: > >>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config > >>> (in a way that's sane)? > >> >

Hi, I can no longer connect to Dovecot (IMAP). The connection is terminated by Dovecot after Client Helo. My server: Dovecot 2.3.3 Debian buster/sid Architecture: ppc My problems started in late August after upgrading Dovecot. SSL settings: ssl_dh = </etc/ssl/dh2048.pem ssl_min_protocol = TLSv1.2 ssl_cipher_list =

On 12/2/2014 10:05 AM, Will Yardley wrote: > I had some problems the first few times I restarted with ssl-params > seeming to hang, but it finally works. That would have been dovecot generating the 4096-bit DH parameters. It can take a bit, but Dovecot is quite fast at it. If Dovecot supported it, you could use OpenSSL to generate tested-safe DH parameters and supply them by file the

Hi Folks, after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine. I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = </var/qmail/control/servercert.pem

I have the following two settings in my "10-ssl.conf" file # SSL protocols to use ssl_protocols = !SSLv2 # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL I have seen different configurations while Googling. I am wondering what the consensus is for the best settings for these two items. What do the developers recommend? Thanks! -- Jerry

List, good afternoon, I was reading up on a TLS Diffie Hellman protocol weakness described here https://weakdh.org/sysadmin.html which is similar to the earlier FREAK attack, and can result in downgrade of cipher suites. Part of the solution workaround that the researchers describe for Dovecot here https://weakdh.org/sysadmin.html includes altering DH parameters length to 2048, and

Am 02.12.2014 um 06:44 schrieb Will Yardley: > On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >> On 12/1/2014 4:43 PM, Will Yardley wrote: >>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>> (in a way that's sane)? >> >>> Is there a way to exclude these ciphers, while still keeping my config >>>

On 12/1/2014 9:44 PM, Will Yardley wrote: > On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >> On 12/1/2014 4:43 PM, Will Yardley wrote: >>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>> (in a way that's sane)? >> >>> Is there a way to exclude these ciphers, while still keeping my config >>> easy

Has anyone else experienced a degraded symmetric key exchange when using FF-31 vice FF24? When I use FF24 then I get a symmetric type of AES-256 (Very Strong) rating in Calomel 0.62. When I switch to FF31 and connect to exactly the same server host and url then in Calomel 0.62 I see this instead: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (Very Weak). I am not altering any of the configuration options

I've been trying to upgrade Dovecot-ee package (on EL6/x86_64) from 2.2.15.8-1 to 2.2.16.2-1. It's complaining on these two dependencies: liblz4.so.1 libtextcat.so.0 These would both seem to be related to plugins, and don't seem to be required as package dependencies by the RPM from what I can see from the SRPM. Anyone know what packages I need to satisfy these dependencies?

Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list =

Thank You for answers. But: 1. How should be properly configured ssl_cipher_list? 2. Ok, removed !TLSv1 !TLSv1.1. 3. Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two lines looks exactly this same and no errors in mail.err file and mailes works without any problem. 4. No, currently I don't use LMTP.

I set up cram-md5 using this tutorial https://wiki2.dovecot.org/HowTo/CRAM-MD5 in /etc/dovecot/dovecot.conf in passdb code block: listen = *,[::] protocols = imap pop3 #auth_mechanisms = plain login cram-md5 auth_mechanisms = cram-md5 plain login #dodana nizej linia ssl = required disable_plaintext_auth = yes log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail

On 12/1/2014 4:43 PM, Will Yardley wrote: > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > (in a way that's sane)? > Is there a way to exclude these ciphers, while still keeping my config > easy to parse and avoiding duplicative or deprecated configs? Yes to both. If you need to support older clients: ssl_cipher_list =

On 09/03/16 10:44, Florent B wrote: > Hi, > > I don't see any SSL configuration option in Dovecot to disable > "Client-initiated secure renegotiation". > > It is advised to disable it as it can cause DDoS (CVE-2011-1473). > > Is it possible to have this possibility through an SSL option or other ? > > Thank you. > > Florent ssl_protocols = !SSLv3

On Thu, Apr 02, 2015 at 02:53:26PM -0600, Eric Broch wrote: > On 4/2/2015 1:22 PM, Will Yardley wrote: > > I've been trying to upgrade Dovecot-ee package (on EL6/x86_64) from > > 2.2.15.8-1 to 2.2.16.2-1. It's complaining on these two dependencies: > > > > liblz4.so.1 > > libtextcat.so.0 > > > > These would both seem to be related to plugins,

Default it was: "auth_mechanisms = plain login" and I added cram-md5. After restart all work perfectly. But after I added: driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd I can't set default lines because I got error. Please tell me which lines should be changed to resolve this issue. Should I remove "login" from auth_mechanism

Cipher list which You post provide better compatibility or security than those which I currently have? On older software version these cipher list works well and not generate any errors when I run Internal PCI scan test from https://cloud.tenable.com for another server. But for new server with newer software during test I got errors in mail.err. 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi