Re: [qmailtoaster] SSL Problem Dovecot

Thanks Carl. Unfortunately for my server, all of those suggestions are too tight to work with my clients. However, I did find this web page that offers some good info on ciphers. https://cheatsheetseries.owasp.org/cheatsheets/

Re: [qmailtoaster] SSL Problem Dovecot

I must retract two cipherlist macros which I tossed out in the email below.   It was late and I was sleepy. Both 'HIGH:-SSLv3' and 'ECDHE:DHE:-SSLv3' include ciphersuites with NULL encryption, which means unencrypted.  They can be fixed by removing the nulls: 'HIGH:-SSLv3:-NULL' and 'ECDHE

Re: [qmailtoaster] SSL Problem Dovecot

Correct, the default is ssl_min_protocol = TLSv1 which is newer than SSLv3 and SSLv2 is no longer even supported at all. So effectively the default is the same as your old list of TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2

RE: [qmailtoaster] SSL Problem Dovecot

Yup, turns out that’s a left over from before Dovecot 2.2…. It was getting ignored and the default is TLSv1. Removed from my config as obsolete. Carl From: Gary Bowling [mailto:g...@gbco.us] Sent: Wednesday, September 04, 2019 01:44 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re:

Re: [qmailtoaster] SSL Problem Dovecot

Carl, when I put that statement in my dovecot conf I get the following in my log on startup. Sep 04 13:39:41 config: Warning: Obsolete setting in /etc/dovecot/local.conf:22: ssl_protocols has been replaced by ssl_min_protocol Sep 04 13:39

Re: [qmailtoaster] SSL Problem Dovecot

Hi Carl, I have no ssl_protocols, but I do have ssl_min_protocol Eric On Wed, Sep 4, 2019 at 11:20 AM CarlC Internet Services Service Desk < ab...@carlc.com> wrote: > For Dovecot, I use > > > > ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2 > > > > Then under ssl_cipher_list, I have a long l

Re: [qmailtoaster] SSL Problem Dovecot

Thanks for that Carl. I will try that in my dovecot. An interesting note.. The default dovecot ciphers are ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH When I did a openssl ciphers '

Re: [qmailtoaster] SSL Problem Dovecot

Interesting. Thanks for the doveconf -a command, didn't know about that one. Also shows that I have ssl_prefer_server_ciphers = no Which might need to be changed to "yes" Gary On 9/4/2019 11:21 AM

RE: [qmailtoaster] SSL Problem Dovecot

For Dovecot, I use ssl_protocols = TLSv1.2 TLSv1.1 TLSv1 !SSLv3 !SSLv2 Then under ssl_cipher_list, I have a long list of ciphers [and blocked ones] that start with the strongest and work downward from there. When I run a scan against IMAPS, any that are found to be compromised, I change t

RE: [qmailtoaster] Qmail Toaster Repos Timing Out

ping ftp.whitehorsetc.com PING whitehorsetc.com (66.62.95.221) 56(84) bytes of data. 64 bytes from 66-62-95-221.cybernet1.com (66.62.95.221): icmp_seq=1 ttl=50 time=147 ms … ping qmt-server.carlc.com PING qmt-server.carlc.com (72.35.89.3) 56(84) bytes of data. 64 bytes from qmt-server.carlc.com (7

Re: [qmailtoaster] SSL Problem Dovecot

You can find out your Dovecot cipher list with this command: # doveconf -a | grep cipher ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH I changed the Dovecot cipher list to point to a file and it works fine with above settings in the

Re: [qmailtoaster] Qmail Toaster Repos Timing Out

Try (and let me know the output) # ping ftp.whitehorsetc.com # ping qmt-server.carlc.com Can you go directly to the web sites? ftp://qmt-server.carlc.com/pub/repo/qmt/CentOS/7/current/x86_64/ ftp://ftp.whitehorsetc.com/pub/repo/qmt/CentOS/7/current/x86_64/ Run the following commands and let me kn

Re: [qmailtoaster] Qmail Toaster Repos Timing Out

I have the same issue as Roxanne, identical qmt.repo and qmt-mirrorlist-current... CentOS7 (OpenVZ). yum -y install ... error (qt_install.sh): ... ftp://qmt-server.carlc.com/pub/repo/qmt/CentOS/7/current/x86_64/repodata/repomd.xml: [Errno 12] Timeout on ftp://qmt-server.carlc.com/pub/repo/qmt/

RE: [qmailtoaster] SSL Problem Dovecot

Gary, https://www.immuniweb.com/ssl/ is perfect way to test. I think everyone

Re: [qmailtoaster] SSL Problem Dovecot

Yes it's a bit tricky for sure. Phones for email, which I have a lot of. I have a customer with a fax machine that emails faxes, so it has an email account configured in it. All these things run TLSv1 and aren't things I can dictate go away.

Re: [qmailtoaster] SSL Problem Dovecot

Theoretically, you can be more strict with dovecot because you are the admin for all of those users and you can set the client software requirement.  But you have zero input into what every other smtp server in the world will use, so you have to be more flexible there.   At least in theory. I

RE: [qmailtoaster] SSL Problem Dovecot

The problem is, you have to walk a fine line with your “customers”. If they are on an old version of Outlook on Windows 7, it’s possible they can’t do TLS 1.2 or even 1.1… I had a few clients like that and explained that they had to run Windows Update to get the W7 system up to TLS 1.1/1.2. The

Re: [qmailtoaster] SSL Problem Dovecot

FYI. I wanted to see in the log files, what version people were using prior to making changes. To do that you need to add a %k to the login_log_format_elements line in the dovecot configuration. So I added this to the /etc/dovecot/local.conf file on my toaster

Re: [qmailtoaster] SSL Problem Dovecot

I just fact-checked my statement about enclosing the list in single-quotes.  The man page for openssl ciphers specifies only a colon-separated list.  The enclosing in single quotes may just be community habit rather than an actual requirement. -Andy On 9/4/2019 5:04 AM, Andrew Swartz wrote:

Re: [qmailtoaster] SSL Problem Dovecot

On 9/4/2019 4:04 AM, Gary Bowling wrote: That's excellent info Andy, many thanks for that!! I'm going to have to go back and read it about 10 times and possibly go read the referenced material too! Questions, I think you are saying that I can put either 'HIGH:-SSLv3' in the tlsserverciph

Re: [qmailtoaster] SSL Problem Dovecot

That's excellent info Andy, many thanks for that!! I'm going to have to go back and read it about 10 times and possibly go read the referenced material too! Questions, I think you are saying that I can put either 'HIGH:-SSLv3' in the tlsservercip