> On 13/03/2023 15:24 EET Serg <m...@at.encryp.ch> wrote: > > > Hello, is there any way to disallow client-initiated renegotiation at > the dovecot? I haven't found any mention of this feature within source > code as well as at the documentation. > > I am asking about it because without this feature mail server is > vulnerable to a TLS renegotiation DoS attack which can consume a lot of > CPU and is harder to combat comparing to a basic TLS connections flood.
There is no dovecot config option. However, you can use e.g. /etc/ssl/openssl.cnf to disable this (or whatever the default file in your system is): openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = NoRenegotiation Aki