Thanks for the support Mathias.
I will try that.
On 01/24/2013 11:15 AM, Matthias Hunstock wrote:
Am 24.01.2013 07:26, schrieb Theodotos Andreou:
> $
openssl s_client -connect pop.example.com:995
Isn't port 995 assigned to pop3s?
I am using this because we want to
exclude unecrypted connections
Yes, it is.
That's the point we want SSL (TLS actualy)
only sessions. STARTTLS
implies that the connection starts unecrypted and then you request to be
encrypted using STARTTLS. This will allow users to use the connection
unecrypted if they choose not to use STARTTLS. Right?
We do want this but allow only TLS (not SSLv2 or SSLv3)
Ah ok. So there was a
confusion of TLS and STARTTLS. You meant TLS as
successor of SSLv3. In my opinion, all options in perdition being named
something with "tls" refer to STARTTLS.
To get an idea of our setup. There is a dovecot
backend which is
configured to accept cleartext connections. We want perdition to accept
TLS only connections and talk to dovecot in cleartext. Is this possible?
To forbid SSLv2 and SSLv3 you should have a look at the option
ssl_listen_ciphers and [1]. Alternatively, to be sure, you could change
the used crypto library, e.g. compile it without support for SSLv2/3.
[1]
http://www.openssl.org/docs/apps/ciphers.html
<html>
<body>
<img src="http://new.cut.ac.cy/images/environmentalSign.gif"/>
</body>
</html>