Since people are now talking about the SSLv3 security hole and how to disable 
it, here's a thread where you can talk about that. In Dovecot v2.1+ you can 
disable SSLv3 by setting:

ssl_protocols = !SSLv2 !SSLv3

In older versions you'd have to patch the source code. Attached a patch against 

I don't know if there are any clients that would break by disabling SSLv3. I'd 
expect all the clients to use the system (or otherwise generic) SSL libraries, 
which would automatically choose the TLS protocol over SSL. So my guess is that 
unless somebody is using over a 10 year old client there wouldn't be any 
problems. Maybe some old mobile phones might be using SSL.. If you find out 
about any clients that require SSLv3 I'd like to know about it. For Dovecot 
v2.3 I could maybe disable SSLv3 by default if there's no real need for it.

(Also: Don't be confused by SSL/TLS protocols vs. SSL port/STARTTLS, as 
described in For example 
is irrelevant here.)

Attachment: dovecot-sslv3-disable.diff
Description: Binary data

Reply via email to