Cyrus often ships by default with SSLv2 enabled which can be considered a security vulnerability. Here’s how to disable SSLv2 in your Cyrus IMAP server!
1. Edit the file /etc/imapd.conf
sudo nano /etc/imapd.conf
Find the following line, and remove the SSLv2 indication where it may be found:
After: (below is the Debian default)
or some email clients like Android need something like this:
2. Then restart cyrus
$ sudo /etc/init.d/cyrus2.2 restart
If desired, you can then check if SSLv2 is disabled when connecting to your imaps cyrus mail server as follows, supplying your own mail server ip of course:
$ openssl s_client -connect 126.96.36.199:993 -verify -debug -ssl2
You will see something like this if SSLv2 is not allowed:
140735126120892:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
Or it may return ‘ssl handshake failure’.