diff --git a/actions/admin/settings/131.ssl.php b/actions/admin/settings/131.ssl.php
index 06895c9d..016de801 100644
--- a/actions/admin/settings/131.ssl.php
+++ b/actions/admin/settings/131.ssl.php
@@ -37,7 +37,7 @@ return array(
 									'varname' => 'ssl_cipher_list',
 									'type' => 'string',
 									'string_emptyallowed' => false,
-									'default' => 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH',
+									'default' => 'ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128',
 									'save_method' => 'storeSettingField',
 							),
 							'system_ssl_cert_file' => array(
diff --git a/install/froxlor.sql b/install/froxlor.sql
index b0a8c805..bbbb2b81 100644
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -486,7 +486,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('system', 'mod_fcgid_defaultini_ownvhost', '2'),
 	('system', 'awstats_icons', '/usr/share/awstats/icon/'),
 	('system', 'ssl_cert_chainfile', ''),
-	('system', 'ssl_cipher_list', 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH'),
+	('system', 'ssl_cipher_list', 'ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128'),
 	('system', 'nginx_php_backend', '127.0.0.1:8888'),
 	('system', 'perl_server', 'unix:/var/run/nginx/cgiwrap-dispatch.sock'),
 	('system', 'phpreload_command', ''),
diff --git a/lib/configfiles/gentoo.xml b/lib/configfiles/gentoo.xml
index 6f3deb08..d70e79ac 100644
--- a/lib/configfiles/gentoo.xml
+++ b/lib/configfiles/gentoo.xml
@@ -2692,8 +2692,8 @@ SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}
 #TLSLog						/var/log/proftpd-tls.log
 #TLSProtocol					SSLv23
 #TLSTimeoutHandshake				120
-# Really important for WinClients
-#TLSOptions					NoCertRequest
+# Really important for WinClients and some clients
+#TLSOptions					NoCertRequest NoSessionReuseRequired
 #TLSRSACertificateFile		/etc/ssl/server/<SERVERNAME>.crt
 #TLSRSACertificateKeyFile	/etc/ssl/server/<SERVERNAME>.key
 # Authenticate client that want to use FTP over TLS?
diff --git a/lib/configfiles/rhel_centos.xml b/lib/configfiles/rhel_centos.xml
index 1ac18c30..b5131138 100644
--- a/lib/configfiles/rhel_centos.xml
+++ b/lib/configfiles/rhel_centos.xml
@@ -2120,7 +2120,7 @@ ControlsLog			/var/log/proftpd/controls.log
   TLSRSACertificateFile		/etc/pki/tls/certs/proftpd.pem
   TLSRSACertificateKeyFile	/etc/pki/tls/certs/proftpd.pem
   TLSCipherSuite		ALL:!ADH:!DES
-  TLSOptions			NoCertRequest
+  TLSOptions			NoCertRequest NoSessionReuseRequired
   TLSVerifyClient		off
   #TLSRenegotiate		ctrl 3600 data 512000 required off timeout 300
   TLSLog			/var/log/proftpd/tls.log
diff --git a/lib/configfiles/wheezy.xml b/lib/configfiles/wheezy.xml
index 1a929fb7..640cf702 100644
--- a/lib/configfiles/wheezy.xml
+++ b/lib/configfiles/wheezy.xml
@@ -2862,387 +2862,6 @@ auth_mechanisms = plain login
 #!include auth-deny.conf.ext
 #!include auth-master.conf.ext
 
-#!include auth-system.conf.ext
-!include auth-sql.conf.ext
-#!include auth-ldap.conf.ext
-#!include auth-passwdfile.conf.ext
-#!include auth-checkpassword.conf.ext
-#!include auth-vpopmail.conf.ext
-#!include auth-static.conf.ext
-]]>
-							</content>
-						</file>
-						<file name="/etc/dovecot/dovecot.conf" chown="root:root"
-							chmod="0640" backup="true">
-							<content><![CDATA[
-## Dovecot configuration file
-
-# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
-
-# "doveconf -n" command gives a clean output of the changed settings. Use it
-# instead of copy&pasting files when posting to the Dovecot mailing list.
-
-# '#' character and everything after it is treated as comments. Extra spaces
-# and tabs are ignored. If you want to use either of these explicitly, put the
-# value inside quotes, eg.: key = "# char and trailing whitespace  "
-
-# Default values are shown for each setting, it's not required to uncomment
-# those. These are exceptions to this though: No sections (e.g. namespace {})
-# or plugin settings are added by default, they're listed only as examples.
-# Paths are also just examples with the real defaults being based on configure
-# options. The paths listed here are for configure --prefix=/usr
-# --sysconfdir=/etc --localstatedir=/var
-
-# Enable installed protocols
-!include_try /usr/share/dovecot/protocols.d/*.protocol
-
-# A comma separated list of IPs or hosts where to listen in for connections. 
-# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
-# If you want to specify non-default ports or anything more complex,
-# edit conf.d/master.conf.
-#listen = *, ::
-
-# Base directory where to store runtime data.
-#base_dir = /var/run/dovecot/
-
-# Name of this instance. In multi-instance setup doveadm and other commands
-# can use -i <instance_name> to select which instance is used (an alternative
-# to -c <config_path>). The instance name is also added to Dovecot processes
-# in ps output.
-#instance_name = dovecot
-
-# Greeting message for clients.
-#login_greeting = Dovecot ready.
-
-# Space separated list of trusted network ranges. Connections from these
-# IPs are allowed to override their IP addresses and ports (for logging and
-# for authentication checks). disable_plaintext_auth is also ignored for
-# these networks. Typically you'd specify your IMAP proxy servers here.
-#login_trusted_networks =
-
-# Sepace separated list of login access check sockets (e.g. tcpwrap)
-#login_access_sockets = 
-
-# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
-# proxying. This isn't necessary normally, but may be useful if the destination
-# IP is e.g. a load balancer's IP.
-#auth_proxy_self =
-
-# Show more verbose process titles (in ps). Currently shows user name and
-# IP address. Useful for seeing who are actually using the IMAP processes
-# (eg. shared mailboxes or if same uid is used for multiple accounts).
-#verbose_proctitle = no
-
-# Should all processes be killed when Dovecot master process shuts down.
-# Setting this to "no" means that Dovecot can be upgraded without
-# forcing existing client connections to close (although that could also be
-# a problem if the upgrade is e.g. because of a security fix).
-#shutdown_clients = yes
-
-# If non-zero, run mail commands via this many connections to doveadm server,
-# instead of running them directly in the same process.
-#doveadm_worker_count = 0
-# UNIX socket or host:port used for connecting to doveadm server
-#doveadm_socket_path = doveadm-server
-
-# Space separated list of environment variables that are preserved on Dovecot
-# startup and passed down to all of its child processes. You can also give
-# key=value pairs to always set specific settings.
-#import_environment = TZ
-
-##
-## Dictionary server settings
-##
-
-# Dictionary can be used to store key=value lists. This is used by several
-# plugins. The dictionary can be accessed either directly or though a
-# dictionary server. The following dict block maps dictionary names to URIs
-# when the server is used. These can then be referenced using URIs in format
-# "proxy::<name>".
-
-dict {
-  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
-  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
-}
-
-# Most of the actual configuration gets included below. The filenames are
-# first sorted by their ASCII value and parsed in that order. The 00-prefixes
-# in filenames are intended to make it easier to understand the ordering.
-!include conf.d/*.conf
-
-# A config file can also tried to be included without giving an error if
-# it's not found:
-!include_try local.conf
-]]>
-							</content>
-						</file>
-						<file name="/etc/dovecot/dovecot-sql.conf.ext" chown="root:root"
-							chmod="0600" backup="true">
-							<content><![CDATA[
-# This file is opened as root, so it should be owned by root and mode 0600.
-#
-# http://wiki2.dovecot.org/AuthDatabase/SQL
-#
-# For the sql passdb module, you'll need a database with a table that
-# contains fields for at least the username and password. If you want to
-# use the user@domain syntax, you might want to have a separate domain
-# field as well.
-#
-# If your users all have the same uig/gid, and have predictable home
-# directories, you can use the static userdb module to generate the home
-# dir based on the username and domain. In this case, you won't need fields
-# for home, uid, or gid in the database.
-#
-# If you prefer to use the sql userdb module, you'll want to add fields
-# for home, uid, and gid. Here is an example table:
-#
-# CREATE TABLE users (
-#     username VARCHAR(128) NOT NULL,
-#     domain VARCHAR(128) NOT NULL,
-#     password VARCHAR(64) NOT NULL,
-#     home VARCHAR(255) NOT NULL,
-#     uid INTEGER NOT NULL,
-#     gid INTEGER NOT NULL,
-#     active CHAR(1) DEFAULT 'Y' NOT NULL
-# );
-
-# Database driver: mysql, pgsql, sqlite
-driver = mysql 
-
-# Database connection string. This is driver-specific setting.
-#
-# HA / round-robin load-balancing is supported by giving multiple host
-# settings, like: host=sql1.host.org host=sql2.host.org
-#
-# pgsql:
-#   For available options, see the PostgreSQL documention for the
-#   PQconnectdb function of libpq.
-#   Use maxconns=n (default 5) to change how many connections Dovecot can
-#   create to pgsql.
-#
-# mysql:
-#   Basic options emulate PostgreSQL option names:
-#     host, port, user, password, dbname
-#
-#   But also adds some new settings:
-#     client_flags        - See MySQL manual
-#     ssl_ca, ssl_ca_path - Set either one or both to enable SSL
-#     ssl_cert, ssl_key   - For sending client-side certificates to server
-#     ssl_cipher          - Set minimum allowed cipher security (default: HIGH)
-#     option_file         - Read options from the given file instead of
-#                           the default my.cnf location
-#     option_group        - Read options from the given group (default: client)
-# 
-#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
-#   Note that currently you can't use spaces in parameters.
-#
-# sqlite:
-#   The path to the database file.
-#
-# Examples:
-#   connect = host=192.168.1.1 dbname=users
-#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
-#   connect = /etc/dovecot/authdb.sqlite
-#
-connect = host=<SQL_HOST> dbname=<SQL_DB> user=<SQL_UNPRIVILEGED_USER> password=<SQL_UNPRIVILEGED_PASSWORD>
-
-# Default password scheme.
-#
-# List of supported schemes is in
-# http://wiki2.dovecot.org/Authentication/PasswordSchemes
-#
-default_pass_scheme = CRYPT
-
-# passdb query to retrieve the password. It can return fields:
-#   password - The user's password. This field must be returned.
-#   user - user@domain from the database. Needed with case-insensitive lookups.
-#   username and domain - An alternative way to represent the "user" field.
-#
-# The "user" field is often necessary with case-insensitive lookups to avoid
-# e.g. "name" and "nAme" logins creating two different mail directories. If
-# your user and domain names are in separate fields, you can return "username"
-# and "domain" fields instead of "user".
-#
-# The query can also return other fields which have a special meaning, see
-# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
-#
-# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
-# for full list):
-#   %u = entire user@domain
-#   %n = user part of user@domain
-#   %d = domain part of user@domain
-# 
-# Note that these can be used only as input to SQL query. If the query outputs
-# any of these substitutions, they're not touched. Otherwise it would be
-# difficult to have eg. usernames containing '%' characters.
-#
-# Example:
-#   password_query = SELECT userid AS user, pw AS password \
-#     FROM users WHERE userid = '%u' AND active = 'Y'
-#
-#password_query = \
-#  SELECT username, domain, password \
-#  FROM users WHERE username = '%n' AND domain = '%d'
-
-# userdb query to retrieve the user information. It can return fields:
-#   uid - System UID (overrides mail_uid setting)
-#   gid - System GID (overrides mail_gid setting)
-#   home - Home directory
-#   mail - Mail location (overrides mail_location setting)
-#
-# None of these are strictly required. If you use a single UID and GID, and
-# home or mail directory fits to a template string, you could use userdb static
-# instead. For a list of all fields that can be returned, see
-# http://wiki2.dovecot.org/UserDatabase/ExtraFields
-#
-# Examples:
-#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
-#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
-#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
-#
-#user_query = \
-#  SELECT home, uid, gid \
-#  FROM users WHERE username = '%n' AND domain = '%d'
-user_query = SELECT CONCAT(homedir, maildir) AS home, CONCAT('maildir:', homedir, maildir) AS mail, uid, gid, CONCAT('*:storage=', (quota*1024)) as quota_rule FROM mail_users WHERE (username = '%u' OR email = '%u')
-
-# If you wish to avoid two SQL lookups (passdb + userdb), you can use
-# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
-# also have to return userdb fields in password_query prefixed with "userdb_"
-# string. For example:
-#password_query = \
-#  SELECT userid AS user, password, \
-#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
-#  FROM users WHERE userid = '%u'
-password_query = SELECT username AS user, password_enc AS password, CONCAT(homedir, maildir) AS userdb_home, uid AS userdb_uid, gid AS userdb_gid,  CONCAT('maildir:', homedir, maildir) AS userdb_mail, CONCAT('maildir:storage=', (quota*1024)) as userdb_quota FROM mail_users WHERE (username = '%u' OR email = '%u') AND ((imap = 1 AND '%Ls' = 'imap') OR (pop3 = 1 AND '%Ls' = 'pop3') OR '%Ls' = 'smtp' OR '%Ls' = 'sieve')
-
-# Query to get a list of all usernames.
-#iterate_query = SELECT username AS user FROM users
-]]>
-							</content>
-						</file>
-						<file name="/etc/dovecot/conf.d/10-auth.conf" chown="root:0"
-							chmod="0640" backup="true">
-							<content><![CDATA[
-##
-## Authentication processes
-##
-
-# Disable LOGIN command and all other plaintext authentications unless
-# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
-# matches the local IP (ie. you're connecting from the same computer), the
-# connection is considered secure and plaintext authentication is allowed.
-disable_plaintext_auth = no
-
-# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
-# bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
-#auth_cache_size = 0
-# Time to live for cached data. After TTL expires the cached record is no
-# longer used, *except* if the main database lookup returns internal failure.
-# We also try to handle password changes automatically: If user's previous
-# authentication was successful, but this one wasn't, the cache isn't used.
-# For now this works only with plaintext authentication.
-#auth_cache_ttl = 1 hour
-# TTL for negative hits (user not found, password mismatch).
-# 0 disables caching them completely.
-#auth_cache_negative_ttl = 1 hour
-
-# Space separated list of realms for SASL authentication mechanisms that need
-# them. You can leave it empty if you don't want to support multiple realms.
-# Many clients simply use the first one listed here, so keep the default realm
-# first.
-#auth_realms =
-
-# Default realm/domain to use if none was specified. This is used for both
-# SASL realms and appending @domain to username in plaintext logins.
-#auth_default_realm = 
-
-# List of allowed characters in username. If the user-given username contains
-# a character not listed in here, the login automatically fails. This is just
-# an extra check to make sure user can't exploit any potential quote escaping
-# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
-# set this value to empty.
-#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
-
-# Username character translations before it's looked up from databases. The
-# value contains series of from -> to characters. For example "#@/@" means
-# that '#' and '/' characters are translated to '@'.
-#auth_username_translation =
-
-# Username formatting before it's looked up from databases. You can use
-# the standard variables here, eg. %Lu would lowercase the username, %n would
-# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
-# "-AT-". This translation is done after auth_username_translation changes.
-#auth_username_format = %Lu
-
-# If you want to allow master users to log in by specifying the master
-# username within the normal username string (ie. not using SASL mechanism's
-# support for it), you can specify the separator character here. The format
-# is then <username><separator><master username>. UW-IMAP uses "*" as the
-# separator, so that could be a good choice.
-#auth_master_user_separator =
-
-# Username to use for users logging in with ANONYMOUS SASL mechanism
-#auth_anonymous_username = anonymous
-
-# Maximum number of dovecot-auth worker processes. They're used to execute
-# blocking passdb and userdb queries (eg. MySQL and PAM). They're
-# automatically created and destroyed as needed.
-#auth_worker_max_count = 30
-
-# Host name to use in GSSAPI principal names. The default is to use the
-# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
-# entries.
-#auth_gssapi_hostname =
-
-# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
-# default (usually /etc/krb5.keytab) if not specified. You may need to change
-# the auth service to run as root to be able to read this file.
-#auth_krb5_keytab = 
-
-# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
-# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
-#auth_use_winbind = no
-
-# Path for Samba's ntlm_auth helper binary.
-#auth_winbind_helper_path = /usr/bin/ntlm_auth
-
-# Time to delay before replying to failed authentications.
-#auth_failure_delay = 2 secs
-
-# Require a valid SSL client certificate or the authentication fails.
-#auth_ssl_require_client_cert = no
-
-# Take the username from client's SSL certificate, using 
-# X509_NAME_get_text_by_NID() which returns the subject's DN's
-# CommonName. 
-#auth_ssl_username_from_cert = no
-
-# Space separated list of wanted authentication mechanisms:
-#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
-#   gss-spnego
-# NOTE: See also disable_plaintext_auth setting.
-auth_mechanisms = plain login
-
-##
-## Password and user databases
-##
-
-#
-# Password database is used to verify user's password (and nothing more).
-# You can have multiple passdbs and userdbs. This is useful if you want to
-# allow both system users (/etc/passwd) and virtual users to login without
-# duplicating the system users into virtual database.
-#
-# <doc/wiki/PasswordDatabase.txt>
-#
-# User database specifies where mails are located and what user/group IDs
-# own them. For single-UID configuration use "static" userdb.
-#
-# <doc/wiki/UserDatabase.txt>
-
-#!include auth-deny.conf.ext
-#!include auth-master.conf.ext
-
 #!include auth-system.conf.ext
 !include auth-sql.conf.ext
 #!include auth-ldap.conf.ext
diff --git a/lng/english.lng.php b/lng/english.lng.php
index fab1c54a..f698bb46 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -1727,7 +1727,7 @@ $lng['domains']['serveraliasoption_www'] = 'WWW (www.domain.tld)';
 $lng['domains']['serveraliasoption_none'] = 'No alias';
 $lng['error']['givendirnotallowed'] = 'The given directory in field %s is not allowed.';
 $lng['serversettings']['ssl']['ssl_cipher_list']['title'] = 'Configure the allowed SSL ciphers';
-$lng['serversettings']['ssl']['ssl_cipher_list']['description'] = 'This is a list of ciphers that you want (or don\'t want) to use when talking SSL. For a list of ciphers and how to include/exclude them, see sections "CIPHER LIST FORMAT" and "CIPHER STRINGS" on <a href="http://openssl.org/docs/apps/ciphers.html">the man-page for ciphers</a>.<br /><br /><b>Default value is:</b><pre>ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH</pre>';
+$lng['serversettings']['ssl']['ssl_cipher_list']['description'] = 'This is a list of ciphers that you want (or don\'t want) to use when talking SSL. For a list of ciphers and how to include/exclude them, see sections "CIPHER LIST FORMAT" and "CIPHER STRINGS" on <a href="http://openssl.org/docs/apps/ciphers.html">the man-page for ciphers</a>.<br /><br /><b>Default value is:</b><pre>ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128</pre>';
 
 // Added in Froxlor 0.9.31
 $lng['panel']['dashboard'] = 'Dashboard';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index bd5e8027..80e8d5e6 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1454,7 +1454,7 @@ $lng['domains']['serveraliasoption_www'] = 'www (www.domain.tld)';
 $lng['domains']['serveraliasoption_none'] = 'Kein Alias';
 $lng['error']['givendirnotallowed'] = 'Das angegebene Verzeichnis im Feld %s ist nicht erlaubt.';
 $lng['serversettings']['ssl']['ssl_cipher_list']['title'] = 'Erlaubte SSL Ciphers festlegen';
-$lng['serversettings']['ssl']['ssl_cipher_list']['description'] = 'Dies ist eine Liste von Ciphers die genutzt werden sollen (oder auch nicht genutzt werden sollen) wenn eine SSL Verbindung besteht. Eine Liste aller Ciphers und wie diese hinzugefügt/ausgeschlossen werden ist in den Abschnitten "CIPHER LIST FORMAT" und "CIPHER STRINGS" in <a href="http://openssl.org/docs/apps/ciphers.html">der man-page für Ciphers</a> zu finden.<br /><br /><b>Standard-Wert ist:</b><pre>ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH</pre>';
+$lng['serversettings']['ssl']['ssl_cipher_list']['description'] = 'Dies ist eine Liste von Ciphers die genutzt werden sollen (oder auch nicht genutzt werden sollen) wenn eine SSL Verbindung besteht. Eine Liste aller Ciphers und wie diese hinzugefügt/ausgeschlossen werden ist in den Abschnitten "CIPHER LIST FORMAT" und "CIPHER STRINGS" in <a href="http://openssl.org/docs/apps/ciphers.html">der man-page für Ciphers</a> zu finden.<br /><br /><b>Standard-Wert ist:</b><pre>ECDH+AESGCM:ECDH+AES256:!aNULL:!MD5:!DSS:!DH:!AES128</pre>';
 
 // Added in Froxlor 0.9.31
 $lng['panel']['dashboard'] = 'Dashboard';