cPanel keeps turning SSL3 back on for IMAP and POP

[ryodo]

Hi All -
I've changed the settings for IMAP and POP TLS/SSL Protocols in the Mailserver Configuration panel to specify "Only permit TLSv1.0 connections", and this successfully turns off SSL3 for our PCI scans, while leaving the SSL3 cipher in place, since it's actually used by TLS.
However, for some unknown reason they keep reverting to "Permit SSL v2 or v3 connections and TLS v.1x connections". I'm guessing this happens during reboots or the automated system upgrades. And of course, causes the next PCI scan to fail.

Can anyone direct me to the scripts that would need to be updated to prevent this reversion?
Thanks in advance!

 

[cPanelMichael]

Hello

Could you let us know which mail server you are using, and the version of cPanel installed on your system?

Thank you.

 

[ryodo]

We're running WHM 11.50.0, with Courier being the mail server. Thank you for looking into this. I haven't kept track to see when it's actually switching back to SSL3, so my assumption has been it occurs when the server updates itself or restarts. It hasn't switched since I posted my comment here. Could this have been fixed in 11.50?

 

[cPanelMichael]

It hasn't switched since I posted my comment here. Could this have been fixed in 11.50?

It's possible, but I don't see any internal cases included with cPanel version 11.50 referencing this issue. Feel free to let us know if you encounter any additional problems.

Thank you.

 

[ryodo]

OK, problem came back. We're now running WHM 11.52.2, and when we did our PCI scan last week it showed that the mailserver configuration had gone back to accepting both SSL3V3 and TLS 1.0. My conclusion is that when cPanel updates WHM it is getting set back to the default of SSL3V3.
cPanel people - please look into this!

 

[cPanelMichael]

with Courier being the mail server

Could you switch to Dovecot and verify if the issue persists? Courier is deprecated in cPanel version 11.52, and completely removed in cPanel version 54.

Thank you.