| Linode Forum https://forum.linode.com/ |
|
| Disabling SSL3 in courier-imap https://forum.linode.com/viewtopic.php?f=11&t=11421 |
Page 1 of 1 |
| Author: | haus [ Sat Nov 15, 2014 12:55 am ] |
| Post subject: | Disabling SSL3 in courier-imap |
I looked up some instructions on disabling ssl3 in courier and found these settings: IMAPDSSLSTART=NO IMAPDSTARTTLS=YES IMAP_TLS_REQUIRED=1 TLS_PROTOCOL=TLS1 TLS_STARTTLS_PROTOCOL=TLS1 But I found that broke squirrelmail (on localhost). So I decided to allow non-encrypted logins only from localhost on port 143 (using https) and TLS1.0 connections on port 993 on the public IP address. The problem was, as long as I had "IMAP_TLS_REQUIRED=1" in my imapd-ssl config, courier required any connections on port 143 to begin with STARTTLS. In the imapd-ssl config file, the instructions say IMAP_TLS_REQUIRED is to force STARTTLS on everyone, not just "TLS". So I wondered if I could leave IMAP_TLS_REQUIRED=NO and rely on the fact that I've disabled SSL3 as a TLS_PROTOCOL. I tried it, and sure enough, when I did: openssl s_client -connect <myhost>:993 -ssl3 the connection failed because as my server puts it, "Secure renegotiation IS NOT supported". So I think this is working despite the fact that in Outlook 2010, I have to connect using what it calls "SSL" on port 993. I'm guessing that this is the confusion I've been reading about (how mail clients refer to SSL/TLS/STARTTLS in different ways). What outlook calls TLS (and defaults to port 143) is actually STARTTLS, and what outlook calls SSL (port 993) can actually be TLS1.0. At least I'm assuming that's the case since my courier imap server listening on port 993 won't accept an SSL3 connection and I'm still able to get mail from outlook. And I think that whomever created the config changes above saw "IMAP_TLS_REQUIRED" and may have assumed it should be "1" because TLS is now required over SSL when in fact this line only refers to STARTTLS, and not the difference between SSL3 and TLS1.0? I'm just wondering if this makes sense to anyone still using courier. I did notice that in the dovecot instructions on the same site I looked at, the only configuration change that was made was to disable SSL3, so I think line to force STARTTLS may not be a requirement to secure courier from poodle attacks, but I'm not sure. Sorry this may be a bit of ramble, it's late and I've been trying to wrap my head around this for awhile. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|