Interesting. Thanks for the doveconf -a command, didn't know about that one. Also shows that I have

ssl_prefer_server_ciphers = no

Which might need to be changed to "yes"


On 9/4/2019 11:21 AM, Eric Broch wrote:
You can find out your Dovecot cipher list with this command:
# doveconf -a | grep cipher
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

I changed the Dovecot cipher list to point to a file and it works fine with above settings in the file.
ssl_cipher_list = </etc/dovecot/cipher_list

When I changed the Dovecot cipher list to point to qmail's ciphers
ssl_cipher_list = </var/qmail/control/tlsserverciphers
I Get errors in the Dovecot log: imap-login: Error: Failed to initialize SSL server context: Can't set cipher list to (output list below).

]# cat /var/qmail/control/tlsclientciphers

On Wed, Sep 4, 2019 at 9:02 AM CarlC Internet Services Service Desk <> wrote:

Gary, is perfect way to test. I think everyone agrees, we just don’t want to set it “X” and assume it’s the best.


Since Dovecot can use a different encryption list than Qmail, that’s why you need to test each port. I think you got the main idea of it now.




From: Gary Bowling []
Sent: Wednesday, September 04, 2019 10:50 AM
Subject: Re: [qmailtoaster] SSL Problem Dovecot



Yes it's a bit tricky for sure. Phones for email, which I have a lot of. I have a customer with a fax machine that emails faxes, so it has an email account configured in it. All these things run TLSv1 and aren't things I can dictate go away.


I also found that squirrelmail uses TLSv1 and ECDHE-RSA-AES256-SHA. Since it's logging in from to it's not a problem. But it IS a problem for setting these things in the server.


At this point, I have NO ssl_cipher_list configured in dovecot, so it's using whatever the default is. I set it back this way (that's what it was when I started this exercise) because everything I configured caused me problems. I need to leave the users alone for a bit so they can get some work done :)


With it set this way, I scanned my server using


Looks like it scans both the mail protocols and the web protocols. The only big problem is shows is the use of TLSv1, which I'm not sure I can do anything about at this point.


There are a few other things it points out that I need to look in to..

- Doesn't support TLSv1.3. Not sure I can do anything about this one as I would assume it requires an update to openssl.

- The server does not prefer cipher suites. Need to do some research on this one.

- The server does not enforce HTTP Strict Transport Security. FIXED by adding the following to my virtualhost.

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"




Reply via email to