• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Question Why is PCI DSS compliant Dovecot configuration setting ssl_prefer_server_ciphers to no?

V

Visnet

Basic Pleskian
After enabling PCI DSS compliance for Dovecot with:
Code: 
# plesk sbin pci_compliance_resolver --enable dovecot

I noticed the following changes from Plesk's default Dovecot setup:
Code: 
# diff -U0 /root/dovecot/conf.d/11-plesk-security-ssl.conf /etc/dovecot/conf.d/11-plesk-security-ssl.conf
--- /root/dovecot/conf.d/11-plesk-security-ssl.conf    2020-06-04 21:15:45.710984674 +0200
+++ /etc/dovecot/conf.d/11-plesk-security-ssl.conf    2020-06-04 21:19:59.490591720 +0200
@@ -1,4 +1,4 @@
-ssl_min_protocol=TLSv1
-ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH
-ssl_prefer_server_ciphers=yes
-ssl_dh=</usr/local/psa/etc/dhparams1024.pem
+ssl_min_protocol=TLSv1.2
+ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20
+ssl_prefer_server_ciphers=no
+ssl_dh=</usr/local/psa/etc/dhparams2048.pem

Dovecot seems to be recommending:
You should usually prefer server ciphers and their order, so setting
Code: 
ssl_prefer_server_ciphers=yes
is recommended.
Click to expand...
See SSL/DovecotConfiguration - Dovecot Wiki

Why is Plesk's PCI DSS resolver tool setting ssl_prefer_server_ciphers to "no"?

Using Plesk Obsidian 18.0.27 for Linux.
 
Hmmm, I noticed the Mozilla SSL Configurator set to an Intermediate configuration is also setting this to "no".

Could someone please explain this setting?
The Dovecot docs don't seem to elaborate on it too much.
 
All cipher suites used in the configuration used by pci_compliance_resolver (as well as Mozilla TLS configurator) are quite strong. From the point of view of security, it makes no sense for the server to prefer any of them. Therefore, the server allows the client to choose from. It makes sense for the client to choose what works faster on the client.
 
You must log in or register to reply here.

Similar threads

J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
2K
Yaroslav_T
Yaroslav_T
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
3
Views
4K
solomongrundy5
S
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
2K
Tessxr
T
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
3K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
2K
moswak
M
Back
Top