• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Question Why is PCI DSS compliant Dovecot configuration setting ssl_prefer_server_ciphers to no?

V

Visnet

Basic Pleskian
After enabling PCI DSS compliance for Dovecot with:
Code: 
# plesk sbin pci_compliance_resolver --enable dovecot

I noticed the following changes from Plesk's default Dovecot setup:
Code: 
# diff -U0 /root/dovecot/conf.d/11-plesk-security-ssl.conf /etc/dovecot/conf.d/11-plesk-security-ssl.conf
--- /root/dovecot/conf.d/11-plesk-security-ssl.conf    2020-06-04 21:15:45.710984674 +0200
+++ /etc/dovecot/conf.d/11-plesk-security-ssl.conf    2020-06-04 21:19:59.490591720 +0200
@@ -1,4 +1,4 @@
-ssl_min_protocol=TLSv1
-ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH
-ssl_prefer_server_ciphers=yes
-ssl_dh=</usr/local/psa/etc/dhparams1024.pem
+ssl_min_protocol=TLSv1.2
+ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20
+ssl_prefer_server_ciphers=no
+ssl_dh=</usr/local/psa/etc/dhparams2048.pem

Dovecot seems to be recommending:
You should usually prefer server ciphers and their order, so setting
Code: 
ssl_prefer_server_ciphers=yes
is recommended.
Click to expand...
See SSL/DovecotConfiguration - Dovecot Wiki

Why is Plesk's PCI DSS resolver tool setting ssl_prefer_server_ciphers to "no"?

Using Plesk Obsidian 18.0.27 for Linux.
 
Hmmm, I noticed the Mozilla SSL Configurator set to an Intermediate configuration is also setting this to "no".

Could someone please explain this setting?
The Dovecot docs don't seem to elaborate on it too much.
 
All cipher suites used in the configuration used by pci_compliance_resolver (as well as Mozilla TLS configurator) are quite strong. From the point of view of security, it makes no sense for the server to prefer any of them. Therefore, the server allows the client to choose from. It makes sense for the client to choose what works faster on the client.
 
You must log in or register to reply here.

Similar threads

J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
1K
Yaroslav_T
Yaroslav_T
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
3
Views
3K
solomongrundy5
S
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
2K
Tessxr
T
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
3K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
2K
moswak
M
Back
Top