Disabling SSLv2 on Dovecot v1

Question

I'm still using Dovecot v1 (1.1.20) on an osx server. I'm trying to disable SSLv2. Seem like the default config already disabled it:

ssl_cipher_list = ALL:!LOW:!SSLv2:!aNULL:!ADH:!eNULL

But when I test my web server with ssllabs, it complaints my mail server (pop, imap) is vulnerable because of the use of SSLv2 (same key). I also tried:

ssl_cipher_list = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

With no more success.

I know, this server need major software update.

score 2 · Accepted Answer · answered Mar 07 '16 at 15:52

2

SSLv2 is a protocol, not a cipher. The "SSLv2" in the cipher list represents several ciphers associated with SSLv2, not the protocol itself.

In dovecot, the undocumented parameter ssl_protocols is used to disable particular protocols:

ssl_protocols = !SSLv2 !SSLv3

This exists in Dovecot v2; but I don't know if it exists in Dovecot v1.

answered Mar 07 '16 at 15:52

Michael Hampton

244,070
43
506
972

This parameter doesn't exist in Dovecot v1. – Francis Mar 07 '16 at 15:55
I think you're out of luck, then. – Michael Hampton Mar 07 '16 at 16:10
I think you are right. Short term fix is to use a dedicated ssl certificate to avoid drown contamination of others servers. – Francis Mar 08 '16 at 15:37

Disabling SSLv2 on Dovecot v1

1 Answers1