Gerald Hopf writes:
"Perfect forward secrecy (PFS) is a property of the key-agreement protocol that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future" (Source: http://en.wikipedia.org/wiki/Perfect_forward_secrecy)The problem: Courier does unfortunately NOT use forward secrecy. Whether PFS is in use can be checked with: openssl s_client -starttls smtp -connect your-host.net:25 openssl s_client -connect your-host.net:465 => in the output the line "Cipher:" must contain either DHE or ECDHE if forward secrecy is active.
I do not see the connection between "PFS" and these two specific key exchange protocols.
"PFS" is just a generic concept, not tied to any particular technology.
I've tried changing the option TLS_CIPHER_LIST in esmtpd and esmtpd-ssl using the cipher list from dovecot ("ALL:!LOW:!SSLv2:!EXP:!aNULL") as well as the cipher list recommended in a discussion from late 2012 on the courier-imap list(http://sourceforge.net/mailarchive/forum.php?thread_name=cone. 1353972661.237590.10550.1000%40monster.email-scan.com&forum_name=courier- imap)but this has not changed the problem.
In addition to TLS_CIPHER_LIST, the list of available ciphers also depends on your certificate file.
I don't recall offhand if you are required to use a DH certificate, instead of an RSA certificate, or if having DH parameters is sufficient.
Use 'openssl dhparams" to generate a set of new DH parameters, and append them to your certificate file, and see if it helps. If not, try creating a new DH certificate.
pgp8pV52G2IS5.pgp
Description: PGP signature
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
