similar to: Dovecot won't accept IMAP TLS 1 connections from older devices [SOLVED]

I've dovecot --version 2.3.10.1 (a3d0e1171) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020 , atm on Fedora32. I configure /etc/pki/tls/openssl.cnf to set preferences for apps' usage, e.g. Postfix etc; Typically, here cat /etc/pki/tls/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect

> On 22/09/2020 21:00 PGNet Dev <pgnet.dev at gmail.com> wrote: > > > On 9/22/20 10:51 AM, Aki Tuomi wrote: > >>> > > > > Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue. > > I've NO issue with that config/setting with any _other_ app -- whether in general

bump On 8/24/20 5:17 PM, PGNet Dev wrote: > I've > > dovecot --version > 2.3.10.1 (a3d0e1171) > openssl version > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > , atm on Fedora32. > > I configure > > /etc/pki/tls/openssl.cnf > > to set preferences for apps' usage, e.g. Postfix etc; Typically, here > > cat /etc/pki/tls/openssl.cnf >

> On 22/09/2020 20:05 PGNet Dev <pgnet.dev at gmail.com> wrote: > > > bump > > On 8/24/20 5:17 PM, PGNet Dev wrote: > > I've > > > > dovecot --version > > 2.3.10.1 (a3d0e1171) > > openssl version > > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > > > , atm on Fedora32. > > > > I configure > > >

On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a

Hi Folks, after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine. I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = </var/qmail/control/servercert.pem

Can you use both ssl_protocols *and* ssl_cipher_list in the same config (in a way that's sane)? ssl_protocols (>= 2.1) and ssl_cipher_list co-exist, or are they mutually exclusive? I have a Dovecot 2.2.13 system, and I tried setting: I also tried things like ssl_cipher_list = HIGH or ssl_cipher_list = HIGH:!MEDIUM:!LOW however, doing this seems to make v3 still work unless I

On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: > On 12/1/2014 4:43 PM, Will Yardley wrote: > > Can you use both ssl_protocols *and* ssl_cipher_list in the same config > > (in a way that's sane)? > > > Is there a way to exclude these ciphers, while still keeping my config > > easy to parse and avoiding duplicative or deprecated configs? > >

I read this on the RHN commentary respecting cve-2014-3566: https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/: . . . The first aspect of POODLE, the SSL 3.0 protocol vulnerability, has already been fixed through iterative protocol improvements, leading to the current TLS version, 1.2. It is simply not possible to address this in the context of the SSL 3.0

Hi, I came up with the following patch while trying to figure out a good solution for the situation described in Debian bug #871987[1]. In short, OpenSSL in Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients

Hello all, I'm trying to compile dovecot 2.2.21 on OS-X 10.11.3 and I'm running a bit of trouble with OpenSSL. I've cloned OpenSSL (OpenSSL 1.1.0-pre4-dev) from github and in openssl/ssl.h SSL_TXT_SSLV2 is not defined anymore. Compilation fails with: libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-test

Hi list, I'm configuring apache with https and I've a question about sslv3 deactivation. Running "openssl ciphers -v" I get a list of cypher suite of openssl like: ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ......... Each lines report relative protocol. Disabling sslv3 with "SSLProtocol all -SSLv3" I can use cypher like:

What is the best way to adopt multiple certs? Thanks.

Thank You for answers. But: 1. How should be properly configured ssl_cipher_list? 2. Ok, removed !TLSv1 !TLSv1.1. 3. Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two lines looks exactly this same and no errors in mail.err file and mailes works without any problem. 4. No, currently I don't use LMTP.

Sure did! I am even playing with different options (including NONE) and it seems to ignore the contents of ssl.conf I have tried Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA: Environment=G_TLS_GNUTLS_PRIORITY=NORMAL:+TLS1.2:!TLS1.1:!TLS1.0:!ECDHE-RSA-AES256-SHA Environment=G_TLS_GNUTLS_PRIORITY=PFS

Hello, I have 2 Dovecot 2.3.8 servers running SSL with valid wildcard certificates. Email clients connect fine, https://www.immuniweb.com/ssl/ tests show certificates are ok. However I can't make replication work when I add ssl = yes. Without ssl it works ok. I added verbose_ssl in config and error log shows: dovecot: doveadm(149.x.x.x): Error: SSL handshake failed: SSL_accept()

Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list =

What are the possible settings for ssl_min_protocol? I only see it on the upgrade page where it mentions the default is TLSv1. Searching on the dovecot page gives me "Your search query "ssl_min_protocol" didn't return any results." -- Up the airy mountains, down the rushy glen... From ghosties and bogles and long-leggity beasties... My mother said I never should... We

Cipher list which You post provide better compatibility or security than those which I currently have? On older software version these cipher list works well and not generate any errors when I run Internal PCI scan test from https://cloud.tenable.com for another server. But for new server with newer software during test I got errors in mail.err. 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi

Hello! dsync SSL still doesn't work for replication, so I've disabled it and tried to sync without. But I have a problem with temp directory. Is it possible to change path to temp folder? I don't want to set permissions but change temporary folder for replication. Thanks in advance. dovecot: doveadm: Error: safe_mkstemp(/tmp/dovecot.doveadm.) failed: Permission denied