I’m still using Dovecot v1 (1.1.20) on an osx server. I’m trying to disable SSLv2. Seem like the default config already disabled it:
ssl_cipher_list = ALL:!LOW:!SSLv2:!aNULL:!ADH:!eNULL
But when I test my web server with ssllabs, it complaints my mail server (pop, imap) is vulnerable because of the use of SSLv2 (same key). I also tried:
ssl_cipher_list = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
With no more success.
I know, this server need major software update.
SSLv2 is a protocol, not a cipher. The “SSLv2” in the cipher list represents several ciphers associated with SSLv2, not the protocol itself.
In dovecot, the undocumented parameter
ssl_protocols is used to disable particular protocols:
ssl_protocols = !SSLv2 !SSLv3
This exists in Dovecot v2; but I don’t know if it exists in Dovecot v1.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.