RE: [qmailtoaster] SSL Problem Dovecot

[CarlC Internet Services Service Desk]

Gary,

 

https://www.immuniweb.com/ssl/ 
<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.immuniweb.com%2fssl%2f%3fid%3d3lEgRGsj&c=E,1,qDvtiO36lhAC13PjMxSyLGkfUjX5sKv58T1QsgXFdAHPdyQFJZ2NX-GSwGOGzumTdFRh7gOwpMK1b1EJW4A_OD7-dxdLjFOlCHimYsyk&typo=0>
  is perfect way to test. I think everyone agrees, we just don’t want to set it 
“X” and assume it’s the best.

 

Since Dovecot can use a different encryption list than Qmail, that’s why you 
need to test each port. I think you got the main idea of it now.

 

Carl

 

From: Gary Bowling [mailto:g...@gbco.us] 
Sent: Wednesday, September 04, 2019 10:50 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

Yes it's a bit tricky for sure. Phones for email, which I have a lot of. I have 
a customer with a fax machine that emails faxes, so it has an email account 
configured in it. All these things run TLSv1 and aren't things I can dictate go 
away.

 

I also found that squirrelmail uses TLSv1 and ECDHE-RSA-AES256-SHA. Since it's 
logging in from 127.0.0.1 to 127.0.0.1 it's not a problem. But it IS a problem 
for setting these things in the server.

 

At this point, I have NO ssl_cipher_list configured in dovecot, so it's using 
whatever the default is. I set it back this way (that's what it was when I 
started this exercise) because everything I configured caused me problems. I 
need to leave the users alone for a bit so they can get some work done :)

 

With it set this way, I scanned my server using https://www.immuniweb.com/ssl/ 
<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.immuniweb.com%2fssl%2f%3fid%3d3lEgRGsj&c=E,1,qDvtiO36lhAC13PjMxSyLGkfUjX5sKv58T1QsgXFdAHPdyQFJZ2NX-GSwGOGzumTdFRh7gOwpMK1b1EJW4A_OD7-dxdLjFOlCHimYsyk&typo=0>
 

 

Looks like it scans both the mail protocols and the web protocols. The only big 
problem is shows is the use of TLSv1, which I'm not sure I can do anything 
about at this point. 

 

There are a few other things it points out that I need to look in to.. 

- Doesn't support TLSv1.3. Not sure I can do anything about this one as I would 
assume it requires an update to openssl.

- The server does not prefer cipher suites. Need to do some research on this 
one.

- The server does not enforce HTTP Strict Transport Security. FIXED by adding 
the following to my virtualhost.

Header always set Strict-Transport-Security "max-age=63072000; 
includeSubdomains;"

 

Gary