On Tue, 21 Oct 2014 19:02:09 -0700, Eric Shubert wrote:
> In order to disable SSL in dovecot, you could either block the SSL 
> ports (993, 995) in the firewall, or change /etc/dovecot/toaster.conf 
> file by adding :!SSLv3 to the list of ciphers:
> ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:DES-CBC3-SHA

Reconsider disabling SSLv3 ciphers! In OpenSSL they're used by TLSv1.0 and 
TLSv1.1. The TLSv1.1 protocol didn't introduce any new ciphers, it uses SSLv3 
ciphers. If you do this—as far as I've read, I didn't try—TLS for clients that 
don't support at least version 1.2 will stop working.

https://security.stackexchange.com/questions/70832/why-doesnt-the-tls-protocol-work-without-the-sslv3-ciphersuites

The correct action is to disable the SSLv3 protocol itself, if possible. 
Limiting connections to clients capable of => TLSv1.2 might be fine, but I do 
know how many support that; maybe most?

Quinn

Reply via email to