Re: [qmailtoaster] SSL Problem Dovecot

[Gary Bowling]

Interesting. Thanks for the doveconf -a command, didn't know about that one. Also shows that I have ssl_prefer_server_ciphers = no Which might need to be changed to "yes" Gary On 9/4/2019 11:21 AM, Eric Broch wrote: You can find out your Dovecot cipher list with this command: # doveconf -a | grep cipher ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH I changed the Dovecot cipher list to point to a file and it works fine with above settings in the file. ssl_cipher_list = </etc/dovecot/cipher_list When I changed the Dovecot cipher list to point to qmail's ciphers ssl_cipher_list = </var/qmail/control/tlsserverciphers I Get errors in the Dovecot log: imap-login: Error: Failed to initialize SSL server context: Can't set cipher list to (output list below). ]# cat /var/qmail/control/tlsclientciphers DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA On Wed, Sep 4, 2019 at 9:02 AM CarlC Internet Services Service Desk <ab...@carlc.com> wrote: Gary,   https://www.immuniweb.com/ssl/ is perfect way to test. I think everyone agrees, we just don’t want to set it “X” and assume it’s the best.   Since Dovecot can use a different encryption list than Qmail, that’s why you need to test each port. I think you got the main idea of it now.   Carl   From: Gary Bowling [mailto:g...@gbco.us] Sent: Wednesday, September 04, 2019 10:50 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] SSL Problem Dovecot     Yes it's a bit tricky for sure. Phones for email, which I have a lot of. I have a customer with a fax machine that emails faxes, so it has an email account configured in it. All these things run TLSv1 and aren't things I can dictate go away.   I also found that squirrelmail uses TLSv1 and ECDHE-RSA-AES256-SHA. Since it's logging in from 127.0.0.1 to 127.0.0.1 it's not a problem. But it IS a problem for setting these things in the server.   At this point, I have NO ssl_cipher_list configured in dovecot, so it's using whatever the default is. I set it back this way (that's what it was when I started this exercise) because everything I configured caused me problems. I need to leave the users alone for a bit so they can get some work done :)   With it set this way, I scanned my server using https://www.immuniweb.com/ssl/   Looks like it scans both the mail protocols and the web protocols. The only big problem is shows is the use of TLSv1, which I'm not sure I can do anything about at this point.   There are a few other things it points out that I need to look in to.. - Doesn't support TLSv1.3. Not sure I can do anything about this one as I would assume it requires an update to openssl. - The server does not prefer cipher suites. Need to do some research on this one. - The server does not enforce HTTP Strict Transport Security. FIXED by adding the following to my virtualhost. Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"   Gary