View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Disabling SSL3 in courier-imap
Log in to Ask a Question

Disabling SSL3 in courier-imap

email

I looked up some instructions on disabling ssl3 in courier and found these settings:

IMAPDSSLSTART=NO

IMAPDSTARTTLS=YES

IMAPTLSREQUIRED=1

TLS_PROTOCOL=TLS1

TLSSTARTTLSPROTOCOL=TLS1

But I found that broke squirrelmail (on localhost). So I decided to allow non-encrypted logins only from localhost on port 143 (using https) and TLS1.0 connections on port 993 on the public IP address. The problem was, as long as I had "IMAPTLSREQUIRED=1" in my imapd-ssl config, courier required any connections on port 143 to begin with STARTTLS. In the imapd-ssl config file, the instructions say IMAPTLSREQUIRED is to force STARTTLS on everyone, not just "TLS". So I wondered if I could leave IMAPTLSREQUIRED=NO and rely on the fact that I've disabled SSL3 as a TLS_PROTOCOL. I tried it, and sure enough, when I did:

openssl s_client -connect :993 -ssl3

the connection failed because as my server puts it, "Secure renegotiation IS NOT supported". So I think this is working despite the fact that in Outlook 2010, I have to connect using what it calls "SSL" on port 993. I'm guessing that this is the confusion I've been reading about (how mail clients refer to SSL/TLS/STARTTLS in different ways). What outlook calls TLS (and defaults to port 143) is actually STARTTLS, and what outlook calls SSL (port 993) can actually be TLS1.0. At least I'm assuming that's the case since my courier imap server listening on port 993 won't accept an SSL3 connection and I'm still able to get mail from outlook. And I think that whomever created the config changes above saw "IMAPTLSREQUIRED" and may have assumed it should be "1" because TLS is now required over SSL when in fact this line only refers to STARTTLS, and not the difference between SSL3 and TLS1.0?

I'm just wondering if this makes sense to anyone still using courier. I did notice that in the dovecot instructions on the same site I looked at, the only configuration change that was made was to disable SSL3, so I think line to force STARTTLS may not be a requirement to secure courier from poodle attacks, but I'm not sure.

Sorry this may be a bit of ramble, it's late and I've been trying to wrap my head around this for awhile.

0 Replies

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct