Public bug reported:
Tried several configurations on /etc/dovecot/conf.d/10-ssl.conf
regarding the parameter ssl_cipher_list
example:
ssl_cipher_list = ECDHE-RSA-AES256-SHA:!
should allow only the stated cipher.
result
sslscan --no-failed mail.example.com:995
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-SEED-SHA
Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 112 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 112 bits DES-CBC3-SHA
I can set whatever line on ssl_cipher_list, it won't change anything
on postfix I can set
smtpd_tls_mandatory_ciphers = high
result:
sslscan --no-failed mail.example.com:465
Supported Server Cipher(s):
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
or exclude ciphers with
smtpd_tls_mandatory_exclude_ciphers = DHE-RSA-CAMELLIA256-SHA
and that works on port 465.
System is xenial server 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Description: Ubuntu 16.04.3 LTS
Release: 16.04
apt-cache policy dovecot-core
dovecot-core:
Installed: 1:2.2.22-1ubuntu2.6
Candidate: 1:2.2.22-1ubuntu2.6
Version table:
*** 1:2.2.22-1ubuntu2.6 500
500 http://pt.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
100 /var/lib/dpkg/status
1:2.2.22-1ubuntu2 500
500 http://pt.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
aptitude search dovecot |grep 'i '
i A dovecot-core - secure POP3/IMAP server - core files
p dovecot-gssapi - secure POP3/IMAP server - GSSAPI support
i A dovecot-imapd - secure POP3/IMAP server - IMAP daemon
i A dovecot-managesieved - secure POP3/IMAP server - ManageSieve serv
i dovecot-mysql - secure POP3/IMAP server - MySQL support
i A dovecot-pop3d - secure POP3/IMAP server - POP3 daemon
i A dovecot-sieve - secure POP3/IMAP server - Sieve filters su
apart from that even if I have
ssl_prefer_server_ciphers = yes
doveconf |grep prefer gives
ssl_prefer_server_ciphers = no
This prevents making dovecot secure and compliant.
** Affects: dovecot (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748245
Title:
dovecot version 2.2.22 does not honor ssl_cipher_list
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1748245/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
