Supported dovecot ciphers

[chrisch-hh]

I'm running Mailu 1.5. Some of my customers with older mail clients have problems syncing mails via IMAP. In the logs I'm getting SSL: error:1402710B:SSL routines:ACCEPT_SR_CLNT_HELLO_C:wrong version number, so I guess there must be a problem with the SSL/TLS handshake. I checked which ciphers dovecot offers:

nmap --script ssl-enum-ciphers -p 143 mail.myserver.de

PORT    STATE SERVICE
143/tcp open  imap
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

It seems that dovecot only support TLSv1.2 with these three ciphers and I guess that the older mail clients don't accept TLSv1.2 and/or these ciphers.

Is there a way to support more (older) ciphers?

[ofthesun9]

You can adapt the tls.conf to your needs and mount it in the nginx service at /conf/tls.conf
See #363 (I have provided an example working for me)
Of course, you need to accept to lower your security standards to go to TLSv1 or v1.1...

[chrisch-hh]

Thanks for the hint, enabling TLSv1 does the trick.

My mistake was trying to change the TLS config in the dovecot container and not in the nginx container.

Well, I guess I should convince my customers to use modern mail clients...