• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Why is PCI DSS compliant Dovecot configuration setting ssl_prefer_server_ciphers to no?

V

Visnet

Basic Pleskian
After enabling PCI DSS compliance for Dovecot with:
Code: 
# plesk sbin pci_compliance_resolver --enable dovecot

I noticed the following changes from Plesk's default Dovecot setup:
Code: 
# diff -U0 /root/dovecot/conf.d/11-plesk-security-ssl.conf /etc/dovecot/conf.d/11-plesk-security-ssl.conf
--- /root/dovecot/conf.d/11-plesk-security-ssl.conf    2020-06-04 21:15:45.710984674 +0200
+++ /etc/dovecot/conf.d/11-plesk-security-ssl.conf    2020-06-04 21:19:59.490591720 +0200
@@ -1,4 +1,4 @@
-ssl_min_protocol=TLSv1
-ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH
-ssl_prefer_server_ciphers=yes
-ssl_dh=</usr/local/psa/etc/dhparams1024.pem
+ssl_min_protocol=TLSv1.2
+ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20
+ssl_prefer_server_ciphers=no
+ssl_dh=</usr/local/psa/etc/dhparams2048.pem

Dovecot seems to be recommending:
You should usually prefer server ciphers and their order, so setting
Code: 
ssl_prefer_server_ciphers=yes
is recommended.
Click to expand...
See SSL/DovecotConfiguration - Dovecot Wiki

Why is Plesk's PCI DSS resolver tool setting ssl_prefer_server_ciphers to "no"?

Using Plesk Obsidian 18.0.27 for Linux.
 
Hmmm, I noticed the Mozilla SSL Configurator set to an Intermediate configuration is also setting this to "no".

Could someone please explain this setting?
The Dovecot docs don't seem to elaborate on it too much.
 
All cipher suites used in the configuration used by pci_compliance_resolver (as well as Mozilla TLS configurator) are quite strong. From the point of view of security, it makes no sense for the server to prefer any of them. Therefore, the server allows the client to choose from. It makes sense for the client to choose what works faster on the client.
 
You must log in or register to reply here.

Similar threads

J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
2
Views
2K
Jadek
J
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
1K
Tessxr
T
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
1K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
974
moswak
M
Y
Issue Nginx disable tls v1.0
Replies
1
Views
1K
Bitpalast
Bitpalast
Back
Top