Disabling SSLv2 in Courier IMAP

Question

I'm attempting to disable SSLv2 support (amongst other things) in Courier on Linux. In /etc/courier/imapd-ssl I have:

TLS_CIPHER_LIST="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:!ADH:@STRENGTH:!3DES"
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

This works nicely on imaps (993/tcp):

# openssl s_client -connect localhost:995 -ssl2
CONNECTED(00000003)
write:errno=104

But for STARTTLS on 143/tcp it still seems to allow SSLv2:

openssl s_client -connect localhost:143 -starttls imap -ssl2
CONNECTED(00000003)

By contrast:

openssl s_client -connect localhost:143 -starttls imap -ssl3
CONNECTED(00000003)
140692334688072:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 549 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : SSLv3
Cipher    : 0000
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1492550234
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---

So it looks to me is as SSLv2 is still enabled when using STARTTLS on 143

Answer 1

Since SSLv2 and SSLv3 are obsolete for years and TLS is the successor, nowadays you probably want to disable TLS 1.0 and TLS 1.1 in courier. Don't set the TLS_CIPHER_LIST! The default will be fine, it will take the settings from your openssl settings.

In /etc/courier/imapd-ssl set

TLS_PROTOCOL="TLSv1.2"

This will allow TLS 1.2 or newer (TLS 1.3 is out)

Whether TLSv1.2 works depends on whether your openssl library is recent enough to support TLS1.2

To check, if it worked see the result of

openssl s_client -tls1_1 -connect mail.example.org:993