Disable SSLv2 in Cyrus IMAP server

By | 2011/12/15

Cyrus often ships by default with SSLv2 enabled which can be considered a security vulnerability. Here’s how to disable SSLv2 in your Cyrus IMAP server!


1. Edit the file /etc/imapd.conf

sudo nano /etc/imapd.conf

Find the following line, and remove the SSLv2 indication where it may be found:

Before:

tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

After: (below is the Debian default)

tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH

or some email clients like Android need something like this:

tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

2. Then restart cyrus

Debian/Ubuntu:

$ sudo /etc/init.d/cyrus2.2 restart


If desired, you can then check if SSLv2 is disabled when connecting to your imaps cyrus mail server as follows, supplying your own mail server ip of course:

$ openssl s_client -connect 173.230.156.66:993 -verify -debug -ssl2

You will see something like this if SSLv2 is not allowed:

140735126120892:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

Or it may return ‘ssl handshake failure’.

Done!