From unknown Sat Jun 14 02:03:54 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#69858 <69858@debbugs.gnu.org> To: bug#69858 <69858@debbugs.gnu.org> Subject: Status: [PATCH 1/2] services: dovecot: Prefer server ciphers by default. Reply-To: bug#69858 <69858@debbugs.gnu.org> Date: Sat, 14 Jun 2025 09:03:54 +0000 retitle 69858 [PATCH 1/2] services: dovecot: Prefer server ciphers by defau= lt. reassign 69858 guix-patches submitter 69858 Herman Rimm severity 69858 normal tag 69858 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 17 11:35:57 2024 Received: (at submit) by debbugs.gnu.org; 17 Mar 2024 15:35:58 +0000 Received: from localhost ([127.0.0.1]:58764 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rlsYH-000395-HO for submit@debbugs.gnu.org; Sun, 17 Mar 2024 11:35:57 -0400 Received: from lists.gnu.org ([209.51.188.17]:42558) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rlsYF-00038x-B5 for submit@debbugs.gnu.org; Sun, 17 Mar 2024 11:35:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rlsXd-000175-A4 for guix-patches@gnu.org; Sun, 17 Mar 2024 11:35:17 -0400 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117] helo=email.rimm.ee) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1rlsXb-0002lw-DH for guix-patches@gnu.org; Sun, 17 Mar 2024 11:35:16 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1710689708; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LmFeYROy32V692aD3Y9rzLlF8ZdE4Vk1x2dHESgFsRQ=; b=EKvv52jpVsZfWpaN5db88FP3LA9c5dGACKSpKsOOZlfU/0cPf8hCMJkZ66YJ/iHc49xmYw SBlIzeeEyGp0HFMRNg7jJE5q/J51miJMLjqCoyvDpB7/FXuXPboM1O7Vaw61+cxBOUYO1t um1WZHs5SWUJX/eaCgUlEJi9KU7IbHXr8TEiD/pbYzVtHfumtr2hztHLTPZs4MS0cmYRAQ KNuKaTwoRqZsYgrcBQ3G4zf6NYWb8LQuRx31jh5PT+iZCy1C5bWliINyqxItlG2jTcV/mM 1F4KtXMeCSsCldoDvMQAuVxe/l3785xDnaJwxLwcTl5bsRC7bzaev0lgldQiCg== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 954ac515 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Sun, 17 Mar 2024 15:35:08 +0000 (UTC) From: Herman Rimm To: guix-patches@gnu.org Subject: [PATCH 1/2] services: dovecot: Prefer server ciphers by default. Date: Sun, 17 Mar 2024 16:34:33 +0100 Message-ID: <20240317153440.27064-1-herman@rimm.ee> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=81.205.150.117; envelope-from=herman@rimm.ee; helo=email.rimm.ee X-Spam_score_int: 12 X-Spam_score: 1.2 X-Spam_bar: + X-Spam_report: (1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TVD_RCVD_IP=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: Herman Rimm X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) * gnu/services/mail.scm (dovecot-configuration): Add 'ssl-prefer-server-ciphers?' field. * doc/guix.texi (Mail Services)[Dovecot Service]: Describe field. Change-Id: I1ea7c53466ebc3b01082938b5d9dee47c683017d --- doc/guix.texi | 5 +++++ gnu/services/mail.scm | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index eca1cb3712..b58ed90b2f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -26989,6 +26989,11 @@ Time to delay before replying to failed authentications. Defaults to @samp{"2 secs"}. @end deftypevr +@deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-prefer-server-ciphers? +Prefer a server's allowed cipher list over own cipher list. +Defaults to @samp{#t}. +@end deftypevr + @deftypevr {@code{dovecot-configuration} parameter} boolean auth-ssl-require-client-cert? Require a valid SSL client certificate or the authentication fails. diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index afe1bb6016..cd3f961094 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2020 Jonathan Brielmaier ;;; Copyright © 2023 Thomas Ieong ;;; Copyright © 2023 Saku Laesvuori +;;; Copyright © 2024 Herman Rimm ;;; ;;; This file is part of GNU Guix. ;;; @@ -1261,9 +1262,15 @@ (define-configuration dovecot-configuration intend to use @samp{ssl-verify-client-cert? #t}. The file should contain the CA certificate(s) followed by the matching CRL(s). (e.g. @samp{ssl-ca ) id 1rlsce-0003Fl-8x for submit@debbugs.gnu.org; Sun, 17 Mar 2024 11:40:28 -0400 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:53201 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rlscb-0003FV-Sx for 69858@debbugs.gnu.org; Sun, 17 Mar 2024 11:40:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1710689982; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=NZQQ0xUDGq2d9zDM0Hg9ajeQzj7KEtU1MXU2ZSjisTc=; b=O3ju12+29aHFflg9X7trsKefPXdLkw7nkCHxlR1CiOLFndNKUb2NcUNxrfhG/sQaESO5iv sQlRz4XMH4XPye6usmTfQfQwEzbhB1O/Qc3PRz4X0Mse7VyDF2VcBqSTlIi0CMQ9dRBiDD elfGVsRBerOgq5ARb9NotLWwjTTXWSUbC3dM0enUp4pNYG98saA5jBe2P8oFUlHQW//tEq 2Z5OuY0yR4QDB/Eo8GE1ClJgJgbdxp3b21ZOibYPtW4UCL7r4KcClSkNxCsoPFIhKeERxv RSp9ZAcxI62dMOPkJ+k7uyN2HEMQYziBPziPXPMaT3P+19IqwVw3zQhIRM3Z7Q== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 9f135e16 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Sun, 17 Mar 2024 15:39:42 +0000 (UTC) From: Herman Rimm To: 69858@debbugs.gnu.org Subject: [PATCH 2/2] services: dovecot: Bump minimum supported SSL protocol. Date: Sun, 17 Mar 2024 16:38:26 +0100 Message-ID: <20240317153925.27190-1-herman@rimm.ee> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 3.5 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/services/mail.scm (dovecot-configuration): Set 'ssl-min-protocol' to "TLSv1.2". Change-Id: I0d317a54d46523229fcd475eb6ae2239fd0726e9 --- gnu/services/mail.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Content analysis details: (3.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 TVD_RCVD_IP Message was received from an IP address -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 69858 Cc: Herman Rimm X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/services/mail.scm (dovecot-configuration): Set 'ssl-min-protocol' to "TLSv1.2". Change-Id: I0d317a54d46523229fcd475eb6ae2239fd0726e9 --- gnu/services/mail.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager * gnu/services/mail.scm (dovecot-configuration): Set 'ssl-min-protocol' to "TLSv1.2". Change-Id: I0d317a54d46523229fcd475eb6ae2239fd0726e9 --- gnu/services/mail.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm index cd3f961094..f500a62664 100644 --- a/gnu/services/mail.scm +++ b/gnu/services/mail.scm @@ -1283,7 +1283,7 @@ (define-configuration dovecot-configuration @samp{auth-ssl-username-from-cert? #t}.") (ssl-min-protocol - (string "TLSv1") + (string "TLSv1.2") "Minimum SSL protocol version to accept.") (ssl-cipher-list -- 2.41.0