On Mon, 9 Nov 2020, Raymond Herrera wrote:
I am preparing a new server, with Dovecot 2.2.36 and would like to know the
currently recommended protocols. Should I stick to what I have? I would
prefer to start with the easiest configuration possible, which I will revise
later.
This is the command that I have been using to verify the server's
functionality:
% openssl s_client -connect localhost:imaps
Implicit SSL (SSL/TLS) has the slight advantage over STARTTLS as a MITM
cannot strip the STARTTLS server banner during the session handshake and
downgrade the client to plaintext.
However the most important security consideration are
- set SSL version to at least TLS 1.2 to avoid
known weakness in older versions.
- set cipher list to avoid weak ciphers. One of
many guides
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
- (client) enforce SSL connection (i.e. refuse plaintext
sessions).
Joseph Tam <jtam.h...@gmail.com>
