On 01/15/2015 10:04 AM, Wolfgang Breyha wrote: > Maybe > https://bettercrypto.org/ > is of help. > Thanks for both writing and sharing that document. Unfortunately it only has this to say about cyrus-imap: ------------------------------------------------- Limiting the ciphers provided may force (especially older) clients to connect without encryption at all! Sticking to the defaults is recommended If you still want to force strong encryption use tls_cipher_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+\ aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!\ eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\ SHA:CAMELLIA128-SHA:AES128-SHA ------------------------------------------------- OK, but then what is the default? The imapd.conf man page only tells us this: tls_cipher_list: DEFAULT I guess my real concern is recent SSL exploits. Maybe if I'm only using STARTTLS this isn't a worry anyway? ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
