disable SSLv3 in dovecot now that it is known to be insecure (POODLE)

SSLv3 is already disabled in Postfix (45e93f7d) and Nginx (51dd2ed7).

disable SSLv3 in dovecot now that it is known to be insecure (POODLE)
SSLv3 is already disabled in Postfix (45e93f7d) and Nginx (51dd2ed7).
06e074bd · Joshua Tauberer · b5b3fca1 · 06e074bd · 06e074bd
Commit 06e074bd authored Oct 15, 2014 by Joshua Tauberer
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

CHANGELOG.md CHANGELOG.md +1 -0

mail-dovecot.sh setup/mail-dovecot.sh +3 -2

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ To-be-released
 Breaking changes:

 * On-disk backups are now retained for a minimum of 3 days instead of 14. Beyond that the user is responsible for making off-site copies.
+* IMAP no longer supports the legacy SSLv3 protocol. SSLv3 is now known to be insecure. I don't believe any modern devices will be affected by this. HTTPS and SMTP submission already had SSLv3 disabled.

 Control panel:


--- a/setup/mail-dovecot.sh
+++ b/setup/mail-dovecot.sh
@@ -43,12 +43,13 @@ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
 	disable_plaintext_auth=yes \
 	"auth_mechanisms=plain login"

-# Enable SSL, specify the location of the SSL certificate and private key files,
-# and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
+# Enable SSL, specify the location of the SSL certificate and private key files.
+# Disable obsolete SSL protocols and allow only good ciphers per http://baldric.net/2013/12/07/tls-ciphers-in-postfix-and-dovecot/.
 tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
+	"ssl_protocols=!SSLv3 !SSLv2" \
 	"ssl_cipher_list=TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH"

 # Disable in-the-clear IMAP and POP because we're paranoid (we haven't even