From theodotos.andreou@cut.ac.cy Thu Jan 24 20:55:18 2013
From: Theodotos Andreou <theodotos.andreou@cut.ac.cy>
To: perdition-users@vergenet.net
Subject: Re: [PERDITION-USERS] tls_listen does not work MQID:02322413
Date: Thu, 24 Jan 2013 11:45:15 +0200
Message-ID: <510102AB.5020307@cut.ac.cy>
In-Reply-To: <5100FBA3.9030106@tu-ilmenau.de>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4404062377245840443=="

--===============4404062377245840443==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Thanks for the support Mathias.

I will try that.


On 01/24/2013 11:15 AM, Matthias Hunstock wrote:
> Am 24.01.2013 07:26, schrieb Theodotos Andreou:
>
>>>> $ openssl s_client -connect pop.example.com:995
>> Isn't port 995 assigned to pop3s? I am using this because we want to
>> exclude unecrypted connections
> Yes, it is.
>
>> That's the point we want SSL (TLS actualy) only sessions. STARTTLS
>> implies that the connection starts unecrypted and then you request to be
>> encrypted using STARTTLS. This will allow users to use the connection
>> unecrypted if they choose not to use STARTTLS. Right?
>> We do want this but allow only TLS (not SSLv2 or SSLv3)
> Ah ok. So there was a confusion of TLS and STARTTLS. You meant TLS as
> successor of SSLv3. In my opinion, all options in perdition being named
> something with "tls" refer to STARTTLS.
>
>
>
>> To get an idea of our setup. There is a dovecot backend which is
>> configured to accept cleartext connections. We want perdition to accept
>> TLS only connections and talk to dovecot in cleartext. Is this possible?
>
> To forbid SSLv2 and SSLv3 you should have a look at the option
> ssl_listen_ciphers and [1]. Alternatively, to be sure, you could change
> the used crypto library, e.g. compile it without support for SSLv2/3.
>
>
> [1] http://www.openssl.org/docs/apps/ciphers.html
>


<html>
<body>
<img src="http://new.cut.ac.cy/images/environmentalSign.gif"/>
</body>
</html>

--===============4404062377245840443==--