Hi all,
Ten years after the fact I learned about POODLE (Padding Oracle On
Downgraded Legacy Encryption) vulnerabilities, which enable a poorly
configured server to force my client to downgrade to vulnerable
encryption.
My current conf.d/10-ssl.conf contains the following line:
ssl_cipher_list = ALL:!LOW:!SSLv3:!EXP:!aNULL
I've read that I should change the preceding line to the following:
ssl_protocols = !SSLv3 !SSLv2
Is this correct?
For some reason I have the same ssl_cipher_list in dovecot.conf. Should
I make the change there too?
Is there anything else I need to change? The following is my current
dovecot.conf:
=================================================
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# OS: Linux 5.10.12_1 x86_64
# Hostname: mydesk.domain.cxm
mail_location = maildir:~/mail/Maildir:INBOX=~/mail/Maildir/.INBOX
namespace inbox {
inbox = yes
location =
prefix =
}
passdb {
driver = pam
args = %s
}
userdb {
driver = passwd
}
protocols = imap
service imap-login {
inet_listener imap {
#port = 143
port = 0
}
inet_listener imaps {
port = 993
#port = 0
ssl = yes
#ssl = no
}
}
ssl = required
#ssl = yes
ssl_cert = </etc/ssl/dovecot_certs/certs/dovecot.pem
ssl_cipher_list = ALL:!LOW:!SSLv3:!EXP:!aNULL
ssl_key = </etc/ssl/dovecot_certs/private/dovecot.pem
=================================================
By the way, does the preceding dovecot.conf even use the files in
directories off conf.d ?
Thanks,
SteveT
Steve Litt
Autumn 2023 featured book: Rapid Learning for the 21st Century
http://www.troubleshooters.com/rl21
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
