ssl_cipher for mail not working

MKl nginx-forum at
Wed Aug 14 10:56:32 UTC 2013


to increase security of SSL I added some eliptic-curves-ciphers to the
chain. For HTTPS it's working fine, but for the mail proxy it does not work,
I only always get RC4-SHA instead of the ECDH ciphers.
See configuration at the end of this message.

I'm testing it with:
openssl s_client -cipher 'ECDH:DH' -connect
openssl s_client -cipher 'ECDH:DH' -connect

The first command gives me a successful connection with ECDHE-RSA-RC4-SHA,
so for HTTPS the cipherlist is used. The second command fails with an error:
"sslv3 alert handshake failure", the IMAPS server does not provide ECDH
support. I used exactly the same ssl_cipher line for HTTPS and the mail

When using the following command without forcing any ciphers on the client I
can see that RC4-SHA is the "best" cipher that is supported and used:
openssl s_client -connect

Anybody has an idea where the problem is?

Thanks in advance

mail {

  proxy     on;
  starttls  on; ## enable STARTTLS for all mail servers

  ssl_prefer_server_ciphers  on;
  ssl_protocols              TLSv1.1 TLSv1.2 TLSv1 SSLv3;
  ssl_session_cache          shared:TLSSL:16m;
  ssl_session_timeout        10m;

  ssl_certificate            star_domain_de.crt;
  ssl_certificate_key        star_domain_de.key;

  ## default, STARTTLS is appended because of starttls directive above
  imap_capabilities  "IMAP4rev1" "LITERAL+" "SASL-IR" "LOGIN-REFERRALS" "ID"
  pop3_capabilities  "TOP"  "USER";

  server {
    ssl          on;
    listen       [::]:993;
    protocol     imap;
    proxy_pass_error_message       on;

Posted at Nginx Forum:,241834,241834#msg-241834

More information about the nginx mailing list