"Perfect forward secrecy (PFS) is a property of the key-agreement protocol that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future" (Source: http://en.wikipedia.org/wiki/Perfect_forward_secrecy)
The problem: Courier does unfortunately NOT use forward secrecy. Whether PFS is in use can be checked with: openssl s_client -starttls smtp -connect your-host.net:25 openssl s_client -connect your-host.net:465 => in the output the line "Cipher:" must contain either DHE or ECDHE if forward secrecy is active. I've tried changing the option TLS_CIPHER_LIST in esmtpd and esmtpd-ssl using the cipher list from dovecot ("ALL:!LOW:!SSLv2:!EXP:!aNULL") as well as the cipher list recommended in a discussion from late 2012 on the courier-imap list (http://sourceforge.net/mailarchive/forum.php?thread_name=cone.1353972661.237590.10550.1000%40monster.email-scan.com&forum_name=courier-imap) but this has not changed the problem. I've therefore not been able to get courier to use the secure key exchange ciphers (DHE*, ECDHE*). Will this security problem get fixed anytime soon (or do I have to move to postfix which does this just fine, just like dovecot)? If it can be fixed with a different TLS_CIPHER_LIST please make this new cipher list the default. I have however been unable to do so, but this may be just my stupidity :-) Gerald PS: I'm running courier 0.69 on Gentoo Linux 64Bit. Openssl version is 1.0.1c, I've not tried Courier with GnuTLS. I have however now updated to Courier 0.71 and it has not changed anything. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users