Correct, the default is

ssl_min_protocol = TLSv1


which is newer than SSLv3 and SSLv2 is no longer even supported at all.


So effectively the default is the same as your old list of TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2


Gary


On 9/4/2019 1:51 PM, CarlC Internet Services Service Desk wrote:

Yup, turns out that’s a left over from before Dovecot 2.2…. It was getting ignored and the default is TLSv1.

 

Removed from my config as obsolete.

Carl

 

From: Gary Bowling [mailto:g...@gbco.us]
Sent: Wednesday, September 04, 2019 01:44 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] SSL Problem Dovecot

 

 

Carl, when I put that statement in my dovecot conf I get the following in my log on startup.


Sep 04 13:39:41 config: Warning: Obsolete setting in /etc/dovecot/local.conf:22: ssl_protocols has been replaced by ssl_min_protocol
Sep 04 13:39:41 config: Error: Could not find a minimum ssl_min_protocol setting from ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2: Unrecognized protocol 'SSLv2'

 

Thanks, Gary

 

On 9/4/2019 1:20 PM, CarlC Internet Services Service Desk wrote:

For Dovecot, I use

 

ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2

 

Then under ssl_cipher_list, I have a long list of ciphers [and blocked ones] that start with the strongest and work downward from there. When I run a scan against IMAPS, any that are found to be compromised, I change the list to match. This is why I don’t list mine as its fluid based on the latest scans.

 

$0.02,

Carl

--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to