[Ach] 9.2.1 Dovecot, some additions, questions
L. Aaron Kaplan
kaplan at cert.at
Tue Nov 19 22:37:39 CET 2013
On Nov 19, 2013, at 10:34 PM, Pepi Zawodsky <pepi.zawodsky at maclemon.at> wrote:
> == Regenerating DH Params ==
> # How often to regenerate the SSL parameters file. Generation is quite CPU
> # intensive operation. The value is in hours, 0 disables regeneration
> # entirely.
> #ssl_parameters_regenerate = 168
>
> Default seems
> ssl_parameters_regenerate = 168 # Value in hours, aka 168h ≈ 1w
>
> DH Paramters used are only 512 Bits and 1024 Bits.
>
>
> FYI:
> Creating 512bit DH Params takes 0.86seconds on my 2GHz Core2Duo Mac mini Server.
> Creating 1024bit DH Params takes 61 seconds.
>
> 1 Week seems to long for my taste even for slower servers.
> Does 24h sound reasonable? More or less?
>
For a typical server yes, for an embedded device no.
>
>
> == Disable Plaintext ==
> Surprisingly this does not seem to be the default everywhere. Should be checked just in case…
>
> disable_plaintext_auth=yes
> # allows plaintext authentication only when SSL/TLS is used first.
>
>
Is that plaintext within a TLS/SSL tunnel?
I would have no issue with that. I have a problem if the plaintext auth is outside of SSL (or used for SSL handshakes)
>
> == Debugging/Statistics on SSL Client connections ==
> SSL verbosity - seems to be very helpful in debugging and checking what ciphers clients offer.
>
> verbose_ssl = yes
> # This will make Dovecot log all the problems it sees with SSL connections. Some errors might be caused by dropped connections, so it could be quite noisy.
>
>
>
> == Obligatory Apple Rant ==
> Rant: Apple… 2.0.19apple1 on OS X 10.8.5 Mountain Lion
> Smile: 2.2.5 on OS X 10.9 Mavericks
>
>
>
> Best regards
> Pepi
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
---
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131119/df707cb8/attachment.sig>
More information about the Ach
mailing list