Hi, what are your settings?
Mine are below and they work just fine: ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SS Lv2:!SSLv3 Thanks and regards Goetz R. Schultz On 04/01/18 18:56, Jan Vejvalka wrote: > Hi *, > > The change in default SSL settings between 2.2 and 2.3 cut off a few > clients; Microsoft-hosted Exchange (?) being one of them: > > JanĀ 4 11:02:56 kremail dovecot: pop3-login: Disconnected (no auth > attempts in 0 secs): user=<>, rip=40.101.4.hisip, lip=myip, TLS > handshaking: SSL_accept() failed: error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<8SGob/BhTdcoZQS1> > > Explicitly setting ssl_cipher_list to the old defaults helped: > ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > Does someone have an idea what to recommend to the poor user or should > I accept that I stay with the old defaults ? The guy is cooperative, so > we can find out which of the !'s in the new defaults actually breaks the > connection... if you think it's worth. > > Thanks for your help, > > Jan >
signature.asc
Description: OpenPGP digital signature