From 06e074bd323ea5637c6b30598e6c3fb562e806a0 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 15 Oct 2014 15:32:02 +0000 Subject: [PATCH] disable SSLv3 in dovecot now that it is known to be insecure (POODLE) SSLv3 is already disabled in Postfix (45e93f7dcc18d588fd7725431cbc900befe33f42) and Nginx (51dd2ed70b6309ae6675653f03c2ad865fceb86d). --- CHANGELOG.md | 1 + setup/mail-dovecot.sh | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7bf261..9aa8405 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ To-be-released Breaking changes: * On-disk backups are now retained for a minimum of 3 days instead of 14. Beyond that the user is responsible for making off-site copies. +* IMAP no longer supports the legacy SSLv3 protocol. SSLv3 is now known to be insecure. I don't believe any modern devices will be affected by this. HTTPS and SMTP submission already had SSLv3 disabled. Control panel: diff --git a/setup/mail-dovecot.sh b/setup/mail-dovecot.sh index c45e2c4..de446d5 100755 --- a/setup/mail-dovecot.sh +++ b/setup/mail-dovecot.sh @@ -43,12 +43,13 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ disable_plaintext_auth=yes \ "auth_mechanisms=plain login" -# Enable SSL, specify the location of the SSL certificate and private key files, -# and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/. +# Enable SSL, specify the location of the SSL certificate and private key files. +# Disable obsolete SSL protocols and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/. tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ ssl=required \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ + "ssl_protocols=!SSLv3 !SSLv2" \ "ssl_cipher_list=TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH" # Disable in-the-clear IMAP and POP because we're paranoid (we haven't even