David Mehler:
Second question, in the doveconf -n there's reference to my ssl_cipher
am I using current tls ciphers that support pfs?
ssl_cipher_list = ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL
some non pfs cipher would be still active. check yourself:
# openssl ciphers -v 'ALL:!LOW:!SSLv3:!SSLv2:!EXP:!aNULL' | grep -v DH
you disable the SSLv3 *cipher list* here. That's may be not the
expected result.
The *cipher list* SSLv3 is also used by TLSv1+ *protocols*.
I suggest reading (again?)
https://bettercrypto.org/static/applied-crypto-hardening.pdf
ssl_protocols = TLSv1 !SSLv3 !SSLv2
that disable SSLv2, SSLv3 but would also disable TLSv1.1 and TLSv1.2
your ssl library may support otherwise.
better:
ssl_protocols = !SSLv3 !SSLv2
finally you could use the service provided by ssllabs.com to scan your host.
It's a little bit tricky. ssllabs allow only to scan on port 443
So you may configure your host for imaps ( not imap + STARTTLS ) on port 443
and use ssllabs.com. But that require you do not run a regular HTTPS
webserver on the same host.
Andreas
