Skip to content
Snippets Groups Projects
Commit 4189017a authored by Thom's avatar Thom :tools:
Browse files

Add ssl_protocols for backwards compatibility (#5423)

parent 7164c059
No related branches found
No related tags found
1 merge request!1092Update SSL params (#5423)
Hide whitespace changes
Inline Side-by-side
install/tpl/debian6_dovecot2.conf.master
+ 1
0
View file @ 4189017a
......@@ -7,6 +7,7 @@ mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_dh = </etc/dovecot/dh.pem
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
......
  • ms217 @ms217 ·
    Contributor

    I'm not sure if I made myself clear enough but this config (because of the ssl_min_protocol param) will not work on any system if the Dovecot version is < 2.3.

    I'm not really into Debian but by judging a quick Google search this config will only work on Stretch if stretch-backports is enabled or when it is a newer Debian version than Stretch. Anything older than Stretch won't work with this config at least by default. EL6 and EL7 is also affected by that, as well as Ubuntu (< Eoan).

    Possible solutions:
    Stay at ssl_protocols because Dovecot 2.3 will convert ssl_protocols into ssl_min_protocol automatically.
    An alternative solution would be to implement some kind of Dovecot version detection and set ssl_min_protocol or ssl_protocols when appropriate.

  • Thom :tools: @thom ·
    Author Developer

    This was already in the config, I just changed the protocols.

  • ms217 @ms217 ·
    Contributor

    Well, then it seems that no one is using an older distribution or the server admin removed this line themself, or almost everyone is running Dovecot 2.3 which would explain why no one ran into this incompatiblity.

    Either way, as I mentioned, ssl_protocols AND ssl_min_protocol are redundant on systems running Dovecot 2.3, while ssl_min_protocol will not let the Dovecot daemon start if it is Dovecot 2.2.

  • Thom :tools: @thom ·
    Author Developer

    @tbrehm what do you think?

  • Till Brehm @tbrehm ·
    Owner

    If I remember correctly, the installer removes the line automatically from the template before writing it, based on the dovecot version, so it should be fine as it is now.

  • ms217 @ms217 ·
    Contributor

    Alright, that explains why no one ran into compatibility issues when this parameter gets removed by the installer.

0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment