Mark Constable writes:
On Tue, 19 May 2015 10:07:32 AM Alessandro Vesely wrote: > > No, but admittedly just a cheap chained certificate... > > What's the key length? This article seems to imply it must be > >= 2048: > https://www.sophos.com/en-us/support/knowledgebase/122327.aspxThanks for this (and Sams) hint about an older certificate being at fault. It wasn't the first thing that occurred to because the cert had been working up until the W8.1 upgrade and still worked for all other clients. However, just installing a new 2048 bit certificate didn't fix our problem, it also required a 2048 bit DH key exchange and disabling SSL3 as well... openssl dhparam -out /etc/ssl/dhparam.pem 2048
mkdhparams already defaults to 2048 bit DH keys.
and I modified these 2 settings in esmtpd and imapd... TLS_DHPARAMS=/etc/ssl/dhparam.pem TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
It's surprising that having SSLv3 in there makes MS-Windows client refuse to connect to the server. If they don't want to use SSL3, that's fine, they can pick TLSv1.
But, if MS-Window is going to force everyone to finally drop SSL3, that's fine. I'll drop it from the default configuration too.
pgpFvZ8bGwYC7.pgp
Description: PGP signature
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
