On Tue, 21 Oct 2014 19:02:09 -0700, Eric Shubert wrote: > In order to disable SSL in dovecot, you could either block the SSL > ports (993, 995) in the firewall, or change /etc/dovecot/toaster.conf > file by adding :!SSLv3 to the list of ciphers: > ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:DES-CBC3-SHA
Reconsider disabling SSLv3 ciphers! In OpenSSL they're used by TLSv1.0 and TLSv1.1. The TLSv1.1 protocol didn't introduce any new ciphers, it uses SSLv3 ciphers. If you do this—as far as I've read, I didn't try—TLS for clients that don't support at least version 1.2 will stop working. https://security.stackexchange.com/questions/70832/why-doesnt-the-tls-protocol-work-without-the-sslv3-ciphersuites The correct action is to disable the SSLv3 protocol itself, if possible. Limiting connections to clients capable of => TLSv1.2 might be fine, but I do know how many support that; maybe most? Quinn
