Hi,
I have Dovecot 2.3.2.1
Openssl 1.1.1
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
This is ecommended cipher list from
https://wiki.mozilla.org/Security/Server_Side_TLS [nofollow]. I also tried
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384
because I wanted K-9 and Aquamail to use the same cipher so that I can compare their behaviour.
Other settings:
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
My server's certificate key is ECDSA (ECC).
ssl_protocols has been replaced by ssl_min_protocol in Dovecot 2.3
I have tried
ssl_min_protocol = TLSv1
ssl_cipher_list = AESGCM
and
ssl_protocols = !SSLv3
ssl_cipher_list = AESGCM
(with warnings that ssl_protocols is obsolete)
nmap --script ssl-cert,ssl-enum-ciphers
Host is up (0.020s latency).
PORT STATE SERVICE
143/tcp filtered imap
Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds
Your workaround does not work for me. Which Dovecot version do you use?
EDIT
I have noticed that you have Dovecot 2.2.27. Could you please upgrade to 2.3? I have used Dovecot + Aquamail without any problems for years. But my problems started after upgrading Dovecot. I "think" that earlier versions of Dovecot (2.2) somehow avoided the problematic ciphers (ECDHE-ECDSA-AES256-GCM-SHA384 ??). But Dovecot 2.3.1 does not work at all.