Disabling SSLv2 in Courier IMAP

Question

I'm attempting to disable SSLv2 support (amongst other things) in Courier on Linux. In /etc/courier/imapd-ssl I have:

TLS_CIPHER_LIST="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:!ADH:@STRENGTH:!3DES"
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

This works nicely on imaps (993/tcp):

# openssl s_client -connect localhost:995 -ssl2
CONNECTED(00000003)
write:errno=104

But for STARTTLS on 143/tcp it still seems to allow SSLv2:

openssl s_client -connect localhost:143 -starttls imap -ssl2
CONNECTED(00000003)

By contrast:

openssl s_client -connect localhost:143 -starttls imap -ssl3
CONNECTED(00000003)
140692334688072:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 549 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : SSLv3
Cipher    : 0000
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1492550234
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---

So it looks to me is as SSLv2 is still enabled when using STARTTLS on 143

rubo77 · Answer 1 · 2020-05-09T01:34:11.460

Since SSLv2 and SSLv3 are obsolete for years and TLS is the successor, nowadays you probably want to disable TLS 1.0 and TLS 1.1 in courier. Don't set the TLS_CIPHER_LIST! The default will be fine, it will take the settings from your openssl settings.

In /etc/courier/imapd-ssl set

TLS_PROTOCOL="TLSv1.2"

This will allow TLS 1.2 or newer (TLS 1.3 is out)

Whether TLSv1.2 works depends on whether your openssl library is recent enough to support TLS1.2

To check, if it worked see the result of

openssl s_client -tls1_1 -connect mail.example.org:993

score 0 · Answer 2 · answered Nov 26 '23 at 12:08

I've just had the same trouble, it turns out that if courier imapd-ssl was build with gnutls, as is the case on debian, then the TLS_PROTOCOL variable seems to be ignored.

You can disable protocols using the TLS_PRIORITY configuration instead, see https://gnutls.org/manual/html_node/Priority-Strings.html for the reference documentation on the syntax.

Setting it from the default NORMAL:-CTYPE-OPENPGP to NORMAL:-CTYPE-OPENPGP:-VERS-TLS1.0:-VERS-TS1.1 disables the TLSv1.0 and TLSv1.1 protocols.

Disabling SSLv2 in Courier IMAP

2 Answers2