[Ach] 9.2.1 Dovecot, some additions, questions

L. Aaron Kaplan kaplan at cert.at
Tue Nov 19 22:37:39 CET 2013 

On Nov 19, 2013, at 10:34 PM, Pepi Zawodsky <pepi.zawodsky at maclemon.at> wrote:

> == Regenerating DH Params ==
> # How often to regenerate the SSL parameters file. Generation is quite CPU
> # intensive operation. The value is in hours, 0 disables regeneration
> # entirely.
> #ssl_parameters_regenerate = 168
> 
> Default seems
> ssl_parameters_regenerate = 168 # Value in hours, aka 168h ≈ 1w
> 
> DH Paramters used are only 512 Bits and 1024 Bits.
> 
> 
> FYI:
> Creating 512bit DH Params takes 0.86seconds on my 2GHz Core2Duo Mac mini Server.
> Creating 1024bit DH Params takes 61 seconds.
> 
> 1 Week seems to long for my taste even for slower servers.
> Does 24h sound reasonable? More or less?
> 

For a typical server yes, for an embedded device no.

> 
> 
> == Disable Plaintext ==
> Surprisingly this does not seem to be the default everywhere. Should be checked just in case…
> 
> disable_plaintext_auth=yes
> # allows plaintext authentication only when SSL/TLS is used first.
> 
> 
Is that plaintext within a TLS/SSL tunnel?
I would have no issue with that. I have a problem if the plaintext auth is outside of SSL (or used for SSL handshakes)


> 
> == Debugging/Statistics on SSL Client connections ==
> SSL verbosity - seems to be very helpful in debugging and checking what ciphers clients offer.
> 
> verbose_ssl = yes
> # This will make Dovecot log all the problems it sees with SSL connections. Some errors might be caused by dropped connections, so it could be quite noisy.
> 

> 
> 
> == Obligatory Apple Rant ==
> Rant: Apple… 2.0.19apple1 on OS X 10.8.5 Mountain Lion
> Smile: 2.2.5 on OS X 10.9 Mavericks
> 
> 
> 
> Best regards
> Pepi
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

--- 
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131119/df707cb8/attachment.sig>

More information about the Ach mailing list