Am 24.01.2013 07:26, schrieb Theodotos Andreou:
> $ openssl
s_client -connect pop.example.com:995
Isn't port 995 assigned to pop3s? I am
using this because we want to
exclude unecrypted connections
Yes, it is.
That's the point we want SSL (TLS actualy) only
sessions. STARTTLS
implies that the connection starts unecrypted and then you request to be
encrypted using STARTTLS. This will allow users to use the connection
unecrypted if they choose not to use STARTTLS. Right?
We do want this but allow only TLS (not SSLv2 or
SSLv3)
Ah ok. So there was a confusion of TLS and STARTTLS. You meant TLS as
successor of SSLv3. In my opinion, all options in perdition being named
something with "tls" refer to STARTTLS.
To get an idea of our setup. There is a dovecot
backend which is
configured to accept cleartext connections. We want perdition to accept
TLS only connections and talk to dovecot in cleartext. Is this possible?
To forbid SSLv2 and SSLv3 you should have a look at the option
ssl_listen_ciphers and [1]. Alternatively, to be sure, you could change
the used crypto library, e.g. compile it without support for SSLv2/3.
[1]
http://www.openssl.org/docs/apps/ciphers.html