Disabling SSLv2 on Dovecot v1

Francis asked:

I’m still using Dovecot v1 (1.1.20) on an osx server. I’m trying to disable SSLv2. Seem like the default config already disabled it:

ssl_cipher_list = ALL:!LOW:!SSLv2:!aNULL:!ADH:!eNULL

But when I test my web server with ssllabs, it complaints my mail server (pop, imap) is vulnerable because of the use of SSLv2 (same key). I also tried:

ssl_cipher_list = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

With no more success.

I know, this server need major software update.

My answer:

SSLv2 is a protocol, not a cipher. The “SSLv2” in the cipher list represents several ciphers associated with SSLv2, not the protocol itself.

In dovecot, the undocumented parameter ssl_protocols is used to disable particular protocols:

ssl_protocols = !SSLv2 !SSLv3

This exists in Dovecot v2; but I don’t know if it exists in Dovecot v1.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.