similar to: Wishlist: TLS,SSL cipher in a variable.

Dear libvirt team, we a currently in a pci-dss certification process and our security scanner found weak ciphers in the vlc_tls service on our centos6 box: When I scan using sslscan I can see that sslv3 and rc4 is accepted: inf0rmix@tardis:~$ sslscan myhost:16514 | grep Accepted Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 128

Hello, the attached patch for Dovecot 2.2.4 improves the logging to include information about the cipher suite used for a TLS connection. Here is an example log line: Aug 13 21:49:55 colwyn dovecot: imap-login: Login: user=<tron>, method=CRAM-MD5, rip=2001:8b0:114:1::2, lip=2001:8b0:114:1::2, mpid=10567, TLS=<TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)>,

On 12/2/2014 1:32 AM, Reindl Harald wrote: > > Am 02.12.2014 um 06:44 schrieb Will Yardley: >> On Mon, Dec 01, 2014 at 09:27:48PM -0800, Darren Pilgrim wrote: >>> On 12/1/2014 4:43 PM, Will Yardley wrote: >>>> Can you use both ssl_protocols *and* ssl_cipher_list in the same config >>>> (in a way that's sane)? >>> >>>> Is there a

Hi, I have a small question with sendmail and tls verification. The tls verify fails on our internal/external sendmail servers. For example: STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256 STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42], version=TLSv1/SSLv3, verify=FAIL,

It's nice to see that the OS where CentOS gets its sources from also experiments the same error! I have been very busy lately so I haven't had the time to deal with the problem, probably later this week or early next week. As soon as I find something Ill let you know. Hopefully you'll do the same if you come across the solution first. PS. Forwarding this message to the mailing

Hi, since I upgraded to the new Thunderbird version 3.1 I can't establish a TLS/SSL connection anymore. But before the update Thunerbird was able to establish an encrypted session ... Maillog shows me the following now: server dovecot: imap-login: Disconnected (no auth attempts): rip=84.157.133.248, lip=192.168.1.100, TLS handshaking: SSL_accept() failed: error:14094418:SSL

Hi, I have, in one customer, a web server running on a Verisign-signed certificate SSL certificate. Everything works fine, IE and Firefox connects on https without asking anything, which usually happens on self-signed certificates. I'm trying to use that certificate on dovecot, but clients (Thunderbird basically) keeps saying the certificate is not valid. yes i'm using,

Hi Folks, after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine. I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = </var/qmail/control/servercert.pem

Thank You for answers. But: 1. How should be properly configured ssl_cipher_list? 2. Ok, removed !TLSv1 !TLSv1.1. 3. Strange thing with ssl_protocols and ssl_cipher_list, because on older server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two lines looks exactly this same and no errors in mail.err file and mailes works without any problem. 4. No, currently I don't use LMTP.

Hi, To default dovecot.conf file I added (based on found documentation): ssl = required disable_plaintext_auth = yes #change default 'no' to 'yes' ssl_prefer_server_ciphers = yes ssl_options = no_compression ssl_dh_parameters_length = 2048 ssl_cipher_list =

Cipher list which You post provide better compatibility or security than those which I currently have? On older software version these cipher list works well and not generate any errors when I run Internal PCI scan test from https://cloud.tenable.com for another server. But for new server with newer software during test I got errors in mail.err. 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi

Is there any strange thing in these config lines? 2017-02-01 9:40 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > doveadm log errors can be helpful too > > > On 01.02.2017 10:25, Poliman - Serwis wrote: > > I can check each logs, I have root privileges. > > > > 2017-02-01 9:04 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > > > >> Can

What kind of test are you running? Aki > On April 27, 2017 at 12:00 PM Poliman - Serwis <serwis at poliman.pl> wrote: > > > I turned of ssl_cipher_list in dovecot.conf file (so it's default) but test > still gives errors: > Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown

Default it was: "auth_mechanisms = plain login" and I added cram-md5. After restart all work perfectly. But after I added: driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd I can't set default lines because I got error. Please tell me which lines should be changed to resolve this issue. Should I remove "login" from auth_mechanism

I haven't doveadm logs in /var/log/. Are they default in another place or maybe should I turn on something? My config (default passdb block and auth_mechanisms, nothing more changed): root at vps342401:/etc/dovecot# doveconf -n # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS auth_mechanisms = plain login listen = *,[::] log_timestamp =

I can check each logs, I have root privileges. 2017-02-01 9:04 GMT+01:00 Aki Tuomi <aki.tuomi at dovecot.fi>: > Can you check your logs? > > Aki > > > On 01.02.2017 10:02, Poliman - Serwis wrote: > > When I used backup copy of the dovecot.conf file I have this same error. > So > > I think that maybe something was written to database? I really would >

I always restart dovecot after change config. ;) Sure, I commented out added two lines by me, restarted dovecot and here it is: # 2.2.9: /etc/dovecot/dovecot.conf # OS: Linux 3.13.0-100-generic x86_64 Ubuntu 14.04.5 LTS auth_mechanisms = plain login cram-md5 listen = *,[::] log_timestamp = "%Y-%m-%d %H:%M:%S " mail_max_userip_connections = 100 mail_plugins = " quota"

Hi Timo, reading this http://www.kuketz-blog.de/perfect-forward-secrecy-mit-apple-mail/ it looks like DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA can be forced in use with apple mail ( if no ECDHE is possible ,by missing openssl 1.x etc, seems that apple mail tries ECDHE first if fails its going to use RSA-AES128-SHA ) force soltution as tried ssl_cipher_list =

On Thu, Mar 10, 2016 at 12:30 PM, Osiris <dovecot at flut.demon.nl> wrote: > On 09-03-16 13:14, djk wrote: >> On 09/03/16 10:44, Florent B wrote: >>> Hi, >>> >>> I don't see any SSL configuration option in Dovecot to disable >>> "Client-initiated secure renegotiation". >>> >>> It is advised to disable it as it can

When I used backup copy of the dovecot.conf file I have this same error. So I think that maybe something was written to database? I really would point out that I only added passdb { driver = passwd-file args = scheme=cram-md5 /etc/dovecot/cram-md5.pwd } and comment out from above block default lines #args = /etc/dovecot/dovecot-sql.conf #driver = sql And in auth_mechanisms add line