hi again,
but, why is "imapd -s is for IMAP connections that are externally wrapped
by SSL" --> considered "BAD"?
Because TLS allows one to select which certificate to present, and SSL
doesn't.
aha.
SSLv2 should not be used at all if you can help it
gone.
i presume, then, that SSLvX *starts* encrypted ... hence the port 993. true?
Yes.
it's actually starting to make sense =)
> BTW add this to imapd.conf:
> tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
Actually, ALL:!aNULL:!NULL:!EXPORT:!DES:!LOW:@STRENGTH is even better; I did
some extra reading.
tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
i _thought_ the !ADH is there by default ... and i see no reason NOT to
explicitly include (ALL) the high/med grade ciphers.
It is not. TLSv1 will include it... so you need either !ADH or !aNULL (the
later is better). Try openssl ciphers -v, and you'll see.
got it. cryptic, but with a little staring ... clear.
thx! it's working perfectly now ... on to the next step.
best,
richard
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
