is perfect way to test. I think everyone agrees, we just don’t want to set it 
“X” and assume it’s the best.


Since Dovecot can use a different encryption list than Qmail, that’s why you 
need to test each port. I think you got the main idea of it now.




From: Gary Bowling [] 
Sent: Wednesday, September 04, 2019 10:50 AM
Subject: Re: [qmailtoaster] SSL Problem Dovecot



Yes it's a bit tricky for sure. Phones for email, which I have a lot of. I have 
a customer with a fax machine that emails faxes, so it has an email account 
configured in it. All these things run TLSv1 and aren't things I can dictate go 


I also found that squirrelmail uses TLSv1 and ECDHE-RSA-AES256-SHA. Since it's 
logging in from to it's not a problem. But it IS a problem 
for setting these things in the server.


At this point, I have NO ssl_cipher_list configured in dovecot, so it's using 
whatever the default is. I set it back this way (that's what it was when I 
started this exercise) because everything I configured caused me problems. I 
need to leave the users alone for a bit so they can get some work done :)


With it set this way, I scanned my server using 


Looks like it scans both the mail protocols and the web protocols. The only big 
problem is shows is the use of TLSv1, which I'm not sure I can do anything 
about at this point. 


There are a few other things it points out that I need to look in to.. 

- Doesn't support TLSv1.3. Not sure I can do anything about this one as I would 
assume it requires an update to openssl.

- The server does not prefer cipher suites. Need to do some research on this 

- The server does not enforce HTTP Strict Transport Security. FIXED by adding 
the following to my virtualhost.

Header always set Strict-Transport-Security "max-age=63072000; 




Reply via email to