Fedora() で実行される IMAP サーバーは、cyrus-imapd-2.4.18-1.fc23.i686
次のように構成されています。
$ cat /etc/imapd.conf
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
userdeny_db: flat
tls_cert_file: /etc/pki/tls/certs/corti.li.crt
tls_key_file: /etc/pki/tls/private/corti.li.key
# Chain
tls_ca_file: /etc/pki/tls/certs/COMODORSA.crt
#tls_cipher_list: HIGH
#tls_cipher_list: TLSv1:SSLv3:!SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH:!ADH
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM
# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13
すべてが完璧です。現在CentOS 7()に移行していますが、cyrus-imapd-2.4.17-8.el7_1.x86_64
同じ設定を使用すると、サーバーはまだSSLv2および低レベルのパスワードとの接続を許可します。
$ ./testssl.sh --color 0 new.corti.li:993
[...]
further IP addresses: 2a01:4f8:c17:3bac::2
rDNS (138.201.94.195): static.195.94.201.138.clients.your-server.de.
Service detected: IMAP, thus skipping HTTP specific checks
Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
SSLv2 not offered (OK)
SSLv3 offered (NOT ok)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
HTTP2/ALPN not offered
Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit encryption not offered (OK)
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
Medium grade encryption not offered (OK)
Triple DES Ciphers offered
High grade encryption offered (OK)
ログにエラーは表示されません。理由をご存知ですか?
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH:!MEDIUM
無視される?
編集する
Fedoraシステムの同じ設定は、SSLv3なしで次のものを生成します。
$ ./testssl.sh --color 0 corti.li:993
[...]
further IP addresses: 2a01:4f8:d13:f44::2
rDNS (78.47.122.114): corti.li.
Service detected: IMAP, thus skipping HTTP specific checks
Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2)
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
HTTP2/ALPN not offered
Testing ~standard cipher lists
Null Ciphers not offered (OK)
Anonymous NULL Ciphers not offered (OK)
Anonymous DH Ciphers not offered (OK)
40 Bit encryption not offered (OK)
56 Bit encryption not offered (OK)
Export Ciphers (general) not offered (OK)
Low (<=64 Bit) not offered (OK)
DES Ciphers not offered (OK)
Medium grade encryption not offered (OK)
Triple DES Ciphers offered
High grade encryption offered (OK)