Hello all,
CentOS Linux release 8.5.2111
Dovecot v2.3.8 (9df20d2db)
I need dovecot to support TLSv1 or TLSv1.1 for POP3s (TCP 995). I've set ssl_min_protocol = TLSv1 in both files:
/etc/dovecot/dovecot.conf
/etc/dovecot/conf.d/10-ssl.conf
But it seems to be ignored. Testing:
# openssl s_client -connect localhost:995 -tls1
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 125 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1640732659
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
TLSv1.2 and TLSv1.3 works as expected. Config files are:
dovecot.conf:
listen = *,[::]
protocols = imap pop3 lmtp sieve
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_min_protocol = TLSv1
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-C
HACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no
mail_plugins = quota
...
conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_dh = </etc/dovecot/dh.pem
ssl_min_protocol = TLSv1
ssl_cipher_list = PROFILE=SYSTEM
ssl_prefer_server_ciphers = yes
Where else this setting could be?
Thank you in advance!
/SergeyK
Dovecot ignores ssl_min_protocol
Re: Dovecot ignores ssl_min_protocol
TLSv1 is disabled at the system level because it is insecure and deprecated.
I don't understand why you need it for POP3s. Is it because you have extremely old and insecure clients that want to connect to your POP3s server? In that case, you should consider updating those clients.
If you really want to enable TLSv1, have a look at the instructions in https://access.redhat.com/documentation ... ing-rhel-8
I don't understand why you need it for POP3s. Is it because you have extremely old and insecure clients that want to connect to your POP3s server? In that case, you should consider updating those clients.
If you really want to enable TLSv1, have a look at the instructions in https://access.redhat.com/documentation ... ing-rhel-8
Re: Dovecot ignores ssl_min_protocol
Thank you very much for your reply!!!
Yes, I have a client which I can't ignore who uses TLSv1.1.... Thank you again!
Yes, I have a client which I can't ignore who uses TLSv1.1.... Thank you again!