赛勒斯 imapd 和 SSL

tag-icon tag-icon ssl imap
赛勒斯 imapd 和 SSL

我有一个在 Fedora ( ) 上运行的 IMAP 服务器,cyrus-imapd-2.4.18-1.fc23.i686配置如下:

$ cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN

userdeny_db: flat

tls_cert_file: /etc/pki/tls/certs/corti.li.crt
tls_key_file: /etc/pki/tls/private/corti.li.key
# Chain
tls_ca_file: /etc/pki/tls/certs/COMODORSA.crt

#tls_cipher_list: HIGH
#tls_cipher_list: TLSv1:SSLv3:!SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH:!ADH
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM

# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13

一切都很完美。我现在正在迁移到 CentOS 7 ( cyrus-imapd-2.4.17-8.el7_1.x86_64),但使用相同的配置,服务器仍然接受 SSLv2 和低级密码的连接。

$ ./testssl.sh --color 0 new.corti.li:993 
[...]
 further IP addresses:   2a01:4f8:c17:3bac::2
 rDNS (138.201.94.195):  static.195.94.201.138.clients.your-server.de.
 Service detected:       IMAP, thus skipping HTTP specific checks

 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      offered (NOT ok)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)

我在日志中没有看到任何错误。知道为什么吗

    tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM

被忽略?

编辑

Fedora 机器上的相同设置会产生(无 SSLv3):

$ ./testssl.sh --color 0 corti.li:993 
[...]
 further IP addresses:   2a01:4f8:d13:f44::2
 rDNS (78.47.122.114):   corti.li.
 Service detected:       IMAP, thus skipping HTTP specific checks

 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)

相关内容