On Fri, 17 Oct 2014 10:52:12 +0300, Catalin Leanca wrote: > I managed to disable SSLv3 in /etc/courier/imapd-ssl and > /etc/courier/pop3-ssl > Changed TLS_PROTOCOL=SSLv3 to TLS_PROTOCOL=TLS1
Catalin (and others): have you succeeded in disabling SSLv3 in courier? When I try this configuration, I am unable to connect even with a TLS-compatible client, not even the openssl itself: openssl s_client -state -nbio -connect mail.example.com:993 I get this output: CONNECTED(00000003) turning on non blocking io SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A write R BLOCK SSL_connect:error in SSLv2/v3 read server hello A read:errno=54 According to the openssl documentation, this error usually results from the connection not being able to auto-negotiate a suitable ssl version to use. So, I force a TLS connection using -tls1: openssl s_client -state -nbio -connect oak2.strangecode.com:993 -tls1 And then I get a successful connection with the openssl client. The problem is the real IMAP client I use (Gyazmail) doesn't connect (thought it does support TLS). Perhaps it is trying SSLv3 first, and fails to negotiate to TLS? I read also some Courier versions have this problem, some not [1]. I'd appreciate if you could run the above openssl command (without -tls1) and let me know if it connects for you or not. BTW, if you want to test that your server refuses SSLv3 connections, run the openssl client with '-ssl3'. Quinn [1] http://sourceforge.net/p/courier/mailman/message/17185523/ --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com