You can find out your Dovecot cipher list with this command: # doveconf -a | grep cipher ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
I changed the Dovecot cipher list to point to a file and it works fine with above settings in the file. ssl_cipher_list = </etc/dovecot/cipher_list When I changed the Dovecot cipher list to point to qmail's ciphers ssl_cipher_list = </var/qmail/control/tlsserverciphers I Get errors in the Dovecot log: imap-login: Error: Failed to initialize SSL server context: Can't set cipher list to (output list below). ]# cat /var/qmail/control/tlsclientciphers DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA On Wed, Sep 4, 2019 at 9:02 AM CarlC Internet Services Service Desk < ab...@carlc.com> wrote: > Gary, > > > > https://www.immuniweb.com/ssl/ > <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.immuniweb.com%2fssl%2f%3fid%3d3lEgRGsj&c=E,1,qDvtiO36lhAC13PjMxSyLGkfUjX5sKv58T1QsgXFdAHPdyQFJZ2NX-GSwGOGzumTdFRh7gOwpMK1b1EJW4A_OD7-dxdLjFOlCHimYsyk&typo=0> > is perfect way to test. I think everyone agrees, we just don’t want to set > it “X” and assume it’s the best. > > > > Since Dovecot can use a different encryption list than Qmail, that’s why > you need to test each port. I think you got the main idea of it now. > > > > Carl > > > > *From:* Gary Bowling [mailto:g...@gbco.us] > *Sent:* Wednesday, September 04, 2019 10:50 AM > *To:* qmailtoaster-list@qmailtoaster.com > *Subject:* Re: [qmailtoaster] SSL Problem Dovecot > > > > > > Yes it's a bit tricky for sure. Phones for email, which I have a lot of. I > have a customer with a fax machine that emails faxes, so it has an email > account configured in it. All these things run TLSv1 and aren't things I > can dictate go away. > > > > I also found that squirrelmail uses TLSv1 and ECDHE-RSA-AES256-SHA. Since > it's logging in from 127.0.0.1 to 127.0.0.1 it's not a problem. But it IS a > problem for setting these things in the server. > > > > At this point, I have NO ssl_cipher_list configured in dovecot, so it's > using whatever the default is. I set it back this way (that's what it was > when I started this exercise) because everything I configured caused me > problems. I need to leave the users alone for a bit so they can get some > work done :) > > > > With it set this way, I scanned my server using > https://www.immuniweb.com/ssl/ > <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.immuniweb.com%2fssl%2f%3fid%3d3lEgRGsj&c=E,1,qDvtiO36lhAC13PjMxSyLGkfUjX5sKv58T1QsgXFdAHPdyQFJZ2NX-GSwGOGzumTdFRh7gOwpMK1b1EJW4A_OD7-dxdLjFOlCHimYsyk&typo=0> > > > > Looks like it scans both the mail protocols and the web protocols. The > only big problem is shows is the use of TLSv1, which I'm not sure I can do > anything about at this point. > > > > There are a few other things it points out that I need to look in to.. > > - Doesn't support TLSv1.3. Not sure I can do anything about this one as I > would assume it requires an update to openssl. > > - The server does not prefer cipher suites. Need to do some research on > this one. > > - The server does not enforce HTTP Strict Transport Security. FIXED by > adding the following to my virtualhost. > > Header always set Strict-Transport-Security "max-age=63072000; > includeSubdomains;" > > > > Gary > > > >
