Public bug reported: Tried several configurations on /etc/dovecot/conf.d/10-ssl.conf regarding the parameter ssl_cipher_list
example: ssl_cipher_list = ECDHE-RSA-AES256-SHA:! should allow only the stated cipher. result sslscan --no-failed mail.example.com:995 Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 256 bits CAMELLIA256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-SEED-SHA Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits SEED-SHA Accepted TLSv1 128 bits CAMELLIA128-SHA Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA Accepted TLSv1 112 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 112 bits DES-CBC3-SHA I can set whatever line on ssl_cipher_list, it won't change anything on postfix I can set smtpd_tls_mandatory_ciphers = high result: sslscan --no-failed mail.example.com:465 Supported Server Cipher(s): Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 256 bits CAMELLIA256-SHA Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits CAMELLIA128-SHA or exclude ciphers with smtpd_tls_mandatory_exclude_ciphers = DHE-RSA-CAMELLIA256-SHA and that works on port 465. System is xenial server 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux Description: Ubuntu 16.04.3 LTS Release: 16.04 apt-cache policy dovecot-core dovecot-core: Installed: 1:2.2.22-1ubuntu2.6 Candidate: 1:2.2.22-1ubuntu2.6 Version table: *** 1:2.2.22-1ubuntu2.6 500 500 http://pt.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:2.2.22-1ubuntu2 500 500 http://pt.archive.ubuntu.com/ubuntu xenial/main amd64 Packages aptitude search dovecot |grep 'i ' i A dovecot-core - secure POP3/IMAP server - core files p dovecot-gssapi - secure POP3/IMAP server - GSSAPI support i A dovecot-imapd - secure POP3/IMAP server - IMAP daemon i A dovecot-managesieved - secure POP3/IMAP server - ManageSieve serv i dovecot-mysql - secure POP3/IMAP server - MySQL support i A dovecot-pop3d - secure POP3/IMAP server - POP3 daemon i A dovecot-sieve - secure POP3/IMAP server - Sieve filters su apart from that even if I have ssl_prefer_server_ciphers = yes doveconf |grep prefer gives ssl_prefer_server_ciphers = no This prevents making dovecot secure and compliant. ** Affects: dovecot (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1748245 Title: dovecot version 2.2.22 does not honor ssl_cipher_list To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1748245/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs