CSF/LFD Warns That Dovecot is Using Weak SSL/TLS Ciphers

If you use CSF/LFD with DirectAdmin and run its Server Security Check ("via CSF/LFD's Check Server Security"), you may notice the following warning:

Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)

You can safely ignore this warning.

The firewall checks for the ciphers and protocols in the file /etc/dovecot/dovecot.conf, but this file contains the following include to another file that CSF/LFD doesn't check:

  !include conf/ssl.conf

This file contains the cipher and protocol configuration. You can check your Dovecot SSL configuration like so to ensure that strong ciphers and protocols are in use:

  grep -i 'protocol\|cipher' /etc/dovecot/conf/ssl.conf

Alternatively, you can scan with nmap to confirm the protocols and ciphers used:

   nmap localhost -p 993 --script ssl-enum-ciphers

You can use the above command as the root user via SSH and query localhost as shown, or you could use it in a remote terminal by replacing 'localhost' with the server IP/hostname or a domain that resolves to the server. The output will be a list of protocols and the ciphers supported for each.