Interesting. Thanks for the doveconf -a command, didn't know about that one. Also shows that I have

ssl_prefer_server_ciphers = no


Which might need to be changed to "yes"


Gary


On 9/4/2019 11:21 AM, Eric Broch wrote:
You can find out your Dovecot cipher list with this command:
# doveconf -a | grep cipher
ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

I changed the Dovecot cipher list to point to a file and it works fine with above settings in the file.
ssl_cipher_list = </etc/dovecot/cipher_list

When I changed the Dovecot cipher list to point to qmail's ciphers
ssl_cipher_list = </var/qmail/control/tlsserverciphers
I Get errors in the Dovecot log: imap-login: Error: Failed to initialize SSL server context: Can't set cipher list to (output list below).



]# cat /var/qmail/control/tlsclientciphers
DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA


On Wed, Sep 4, 2019 at 9:02 AM CarlC Internet Services Service Desk <ab...@carlc.com> wrote:

Gary,

 

https://www.immuniweb.com/ssl/ is perfect way to test. I think everyone agrees, we just don’t want to set it “X” and assume it’s the best.

 

Since Dovecot can use a different encryption list than Qmail, that’s why you need to test each port. I think you got the main idea of it now.

 

Carl

 

From: Gary Bowling [mailto:g...@gbco.us]
Sent: Wednesday, September 04, 2019 10:50 AM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

Yes it's a bit tricky for sure. Phones for email, which I have a lot of. I have a customer with a fax machine that emails faxes, so it has an email account configured in it. All these things run TLSv1 and aren't things I can dictate go away.

 

I also found that squirrelmail uses TLSv1 and ECDHE-RSA-AES256-SHA. Since it's logging in from 127.0.0.1 to 127.0.0.1 it's not a problem. But it IS a problem for setting these things in the server.

 

At this point, I have NO ssl_cipher_list configured in dovecot, so it's using whatever the default is. I set it back this way (that's what it was when I started this exercise) because everything I configured caused me problems. I need to leave the users alone for a bit so they can get some work done :)

 

With it set this way, I scanned my server using https://www.immuniweb.com/ssl/

 

Looks like it scans both the mail protocols and the web protocols. The only big problem is shows is the use of TLSv1, which I'm not sure I can do anything about at this point.

 

There are a few other things it points out that I need to look in to..

- Doesn't support TLSv1.3. Not sure I can do anything about this one as I would assume it requires an update to openssl.

- The server does not prefer cipher suites. Need to do some research on this one.

- The server does not enforce HTTP Strict Transport Security. FIXED by adding the following to my virtualhost.

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

 

Gary

 

Reply via email to