• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Why is PCI DSS compliant Dovecot configuration setting ssl_prefer_server_ciphers to no?

V

Visnet

Basic Pleskian
After enabling PCI DSS compliance for Dovecot with:
Code: 
# plesk sbin pci_compliance_resolver --enable dovecot

I noticed the following changes from Plesk's default Dovecot setup:
Code: 
# diff -U0 /root/dovecot/conf.d/11-plesk-security-ssl.conf /etc/dovecot/conf.d/11-plesk-security-ssl.conf
--- /root/dovecot/conf.d/11-plesk-security-ssl.conf    2020-06-04 21:15:45.710984674 +0200
+++ /etc/dovecot/conf.d/11-plesk-security-ssl.conf    2020-06-04 21:19:59.490591720 +0200
@@ -1,4 +1,4 @@
-ssl_min_protocol=TLSv1
-ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH
-ssl_prefer_server_ciphers=yes
-ssl_dh=</usr/local/psa/etc/dhparams1024.pem
+ssl_min_protocol=TLSv1.2
+ssl_cipher_list=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20
+ssl_prefer_server_ciphers=no
+ssl_dh=</usr/local/psa/etc/dhparams2048.pem

Dovecot seems to be recommending:
You should usually prefer server ciphers and their order, so setting
Code: 
ssl_prefer_server_ciphers=yes
is recommended.
Click to expand...
See SSL/DovecotConfiguration - Dovecot Wiki

Why is Plesk's PCI DSS resolver tool setting ssl_prefer_server_ciphers to "no"?

Using Plesk Obsidian 18.0.27 for Linux.
 
Hmmm, I noticed the Mozilla SSL Configurator set to an Intermediate configuration is also setting this to "no".

Could someone please explain this setting?
The Dovecot docs don't seem to elaborate on it too much.
 
All cipher suites used in the configuration used by pci_compliance_resolver (as well as Mozilla TLS configurator) are quite strong. From the point of view of security, it makes no sense for the server to prefer any of them. Therefore, the server allows the client to choose from. It makes sense for the client to choose what works faster on the client.
 
You must log in or register to reply here.

Similar threads

J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
1K
Yaroslav_T
Yaroslav_T
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
3
Views
3K
solomongrundy5
S
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
2K
Tessxr
T
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
2K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
1K
moswak
M
Back
Top