Am 14.08.2013 20:54, schrieb Reindl Harald: > > Am 14.08.2013 20:42, schrieb Robert Schetterer: >> Am 14.08.2013 19:03, schrieb Reindl Harald: >>> ssl_cipher_list = >>> EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2 >>> >>> is what is *higly* recommended after testing webservers by >>> https://www.ssllabs.com/ssltest/ and >>> works with Outlook 2003/2007/2010 as well as Thunderbird, iOS, Apple Mail, >>> currently >> >> hm ,do you have the exact url for test results with mail clients ? > > no, sadly i can only refer to https://www.ssllabs.com/ssltest/ and > assume that TSL in context mail is not much different, what would > be cool is a compareable test-site because the handshake-examples > which client is using which ciphers in comination with your current > config from ssllabs is wonderful
so if there is no proofed real world test client validation much support may come up with older clients > > if someone konws such a tool for mailservers post it here and > on the postfix list with uppercase letters in the subject > >>> there exists even no way to force web-browsers to FS without open >>> BEAST-attack and >>> i doubt in context mail it does not look much better >> >>> however, make sure you are using *the latest* dovecot version and at least >>> openssl 1.0.1e >>> thunderbird: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits) >> >> thx Harald, upgrading openssl to 1.x and using dove 2.2.5 is no option >> at my setup lucid ubuntu yeter > > so you can practically forget it perhaps true forever, as long old clients are around, cause the server can only workaround them > > before openssl 1.0.1 TLS 1.2 does not work > confirmed by our upgrade to Fedora 18 > all services now support TLS 1.2, with Fedora 17 and openssl 1.0 no way > > and for dovecot the releae enote for 2.2.5 is pretty clear > "SSL: Added support for ECDH/ECDHE cipher suite" i only goal to force Forward Secrecy DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA should be enough for that and are working with 0.9x openssl, true ECDH/ECDHE is much better question was if ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL does make sense , to prime the anounce of DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA before other cipers and with default restrictions > > -------- Original-Nachricht -------- > Betreff: [Dovecot-news] v2.2.5 released > Datum: Mon, 5 Aug 2013 23:03:38 +0300 > Von: Timo Sirainen <t...@iki.fi> > Antwort an: dovecot@dovecot.org > An: dovecot-n...@dovecot.org <dovecot-n...@dovecot.org>, dovecot@dovecot.org > List <dovecot@dovecot.org> > > http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz > http://dovecot.org/releases/2.2/dovecot-2.2.5.tar.gz.sig > > So, I'm back from the first vacation I've had in about 10 years. (Well, maybe > there were a few short ones.) I was > planning on coding it the whole time, but looks like I didn't manage to get > anything at all done. Maybe that's a > good vacation?.. Anyway, I've still a few more pending things to look into, > but it's been too long since v2.2.4 so > here are the fixes so far. > > + SSL: Added support for ECDH/ECDHE cipher suites (by David Hicks) > + Added some missing man pages (by Pascal Volk) > + quota-status: Added quota_status_toolarge setting (by Ulrich Zehl) > - director: Users near expiration could have been redirected to > different servers at the same time. > - pop3: Avoid assert-crash if client disconnects during LIST. > - mdbox: Corrupted index header still wasn't automatically fixed. > - dsync: Various fixes to work better with imapc and pop3c storages. > - ldap: sasl_bind=yes caused crashes, because Dovecot's lib-sasl > symbols conflicted with Cyrus SASL library. > - imap: Various error handling fixes to CATENATE. (Found using > Apple's stress test script.) > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein