[Ach] [PATCH] disable SSLv3 for Dovecot

jluebbe at lasnet.de jluebbe at lasnet.de
Sun Oct 19 17:46:20 CEST 2014 

From: Jan Luebbe <jluebbe at debian.org>

Dovecot 2.0 does not support the ssl_protocols setting.
---
 src/configuration/MailServers/Dovecot/10-ssl.conf |  2 +-
 src/practical_settings/mailserver.tex             | 11 +++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/configuration/MailServers/Dovecot/10-ssl.conf b/src/configuration/MailServers/Dovecot/10-ssl.conf
index 04bf926..7895a2b 100644
--- a/src/configuration/MailServers/Dovecot/10-ssl.conf
+++ b/src/configuration/MailServers/Dovecot/10-ssl.conf
@@ -46,7 +46,7 @@ ssl_key = </etc/dovecot/private/dovecot.pem
 #ssl_dh_parameters_length = 1024
 
 # SSL protocols to use
-#ssl_protocols = !SSLv2
+ssl_protocols = !SSLv2 !SSLv3
 
 # SSL ciphers to use
 ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
diff --git a/src/practical_settings/mailserver.tex b/src/practical_settings/mailserver.tex
index 678ee7b..caf704e 100644
--- a/src/practical_settings/mailserver.tex
+++ b/src/practical_settings/mailserver.tex
@@ -51,17 +51,20 @@ mode, because the alternative is plain text transmission.
 \begin{itemize*}
   \item Dovecot 2.1.7, Debian Wheezy (without ``ssl\_prefer\_server\_ciphers'' setting)
   \item Dovecot 2.2.9, Debian Jessie
-  \item 2.0.19apple1 on OS X Server 10.8.5 (without ``ssl\_prefer\_server\_ciphers'' setting)
+  \item 2.0.19apple1 on OS X Server 10.8.5 (without ``ssl\_protocols'' and ``ssl\_prefer\_server\_ciphers'' settings)
 \end{itemize*}
 
 \subsubsection{Settings}
 % Example: http://dovecot.org/list/dovecot/2013-October/092999.html
 
-\configfile{10-ssl.conf}{51-55}{Dovecot SSL configuration}
+\configfile{10-ssl.conf}{48-55}{Dovecot SSL configuration}
 
 \subsubsection{Additional info}
-Dovecot 2.0, 2.1: Almost as good as dovecot 2.2. Dovecot does not ignore unknown configuration parameters. Does not support
-ssl\_prefer\_server\_ciphers
+Dovecot does not ignore unknown configuration parameters.
+
+Dovecot 2.0: Does not support ssl\_protocols and ssl\_prefer\_server\_ciphers.
+
+Dovecot 2.1: Almost as good as dovecot 2.2. Does not support ssl\_prefer\_server\_ciphers.
 
 \subsubsection{Limitations}
 Dovecot currently does not support disabling TLS compression. Furthermore, DH
-- 
2.1.1

More information about the Ach mailing list