Ok, here is the latest:
PCI Compliant Settings:
Dovecot
SSL Cipher List: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA2
56
SSL Protocols: TLSv1.2
EXIM
Options for OpenSSL: Default
SSL/TLS Cipher Suite List:
Default
This will require a mitigation document and will be good until June 2018.
The down side is this breaks some Windows 7 machines using Outlook 2016 with the
ssl3_get_client_hello error.
Working solution:
Dovecot
SSL Cipher List: AES128+EECDH:AES128+EDH
SSL Protocols: !SSLv2 !SSLv3
EXIM
Options for OpenSSL: +no_sslv2 +no_sslv3
SSL/TLS Cipher Suite List: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
This works fine, but throws up a lot of PCI compliance errors. I believe all of them can still be mitigated at this point, but this configuration will not work after June 2018. This is ALMOST PCI complaint, which is too bad.
Windows 7 and Outlook 2016 issues with
ssl3_get_client_hello appear to be random, not all machines have the problem. This is not patchable via the patch
kb3140245. I have several patched clients that still can't get Outlook 2016 to work under the PCI Complaint configuration.
At this point, I don't believe there is a work around for the Outlook issue that is PCI complaint. Some stuff was posted in other threads here, but they were a bit drastic, some turning on SSLv3 with is way outside PCI compliance. What we really need is a patch for Windows 7 and Outlook 2016 that work. My guess is that Outlook is looking at compliant systems for TLSv1, not finding it and attempting to downgrade to SSLv3, but there are no ciphers, so it bombs.
As always, still working on this...