Imapd and diffie hellman encryption

Vladislav Kurz vladislav.kurz at
Thu Jun 27 07:36:00 EDT 2013

Hello all,

recently I read an article about perfect forward secrecy, and so I have tried 
all of our services to see what ciphers do they use. I have found that most of 
them use DHE-RSA-AES256-SHA (which I suppose has PFS thanks to DH key 
exchange), but Cyrus IMAPd (and POP3d) used only AES256-SHA. When I set my 
client to use only DHE-RSA-AES256-SHA, connection was refused.

So, is there anything I can do to enable DH key negotioation in imapd.conf?

My tls options from imapd.conf are:

tls_cert_file: /etc/ssl/certs/mail.crt
tls_key_file: /etc/ssl/private/mail.key
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_require_cert: false

mail.crt contains also the whole certificate chain of public certificate 
authority that issued my certificate.

/etc/ssl/certs contains only a few certificates - one is the same as included 
in mail.crt, and others belong to our govermental CA - some clients tried to 
send them to the server to authenticate, even though authentication is only 
password based.

Somewhere I found a howto that suggested to add DH parameters to either cert 
or key file (they used one for both), but it didn't work.

Best Regards
	Vladislav Kurz

More information about the Info-cyrus mailing list