Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disabling Exim SSLv2

Discussion in 'Security' started by Spork Schivago, Nov 2, 2016.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hi,

    I run WHM / cPanel on a CentOS 6.8 Final server and I'd like to know if there's away to disable SSLv2 for exim. I am trying to make my server a bit more secure. I received an audit scan today that shows SSLv2 is enabled on port 465 and netstat -anp | grep 465 shows:
    Code:
    tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      12314/exim
    
    From the audit scan, I see:
    Code:
    This SSLv2 server does not accept SSLv3 connections.
    This SSLv2 server also accepts TLSv1 connections.
    Recommended Solution:
    Usage of weak ciphers should be avoided.
    
    For port 443:
    Code:
    Here is the list of SSL ciphers supported by the remote server:
    - High Strength Ciphers (>= 112-bit key)
    * TLSv1 - EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 
    * TLSv1 - DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 
    * TLSv1 - DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 
    * TLSv1 - n/a Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 
    * TLSv1 - n/a Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 
    * TLSv1 - n/a Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 
    * TLSv1 - DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 
    * TLSv1 - AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 
    * TLSv1 - AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 
    
    Can I somehow create a similar setup for exim? I'm sorry if this is a really basic question. I'm still in the process of learning everything. I'm running 60.0.15 of WHM / cPanel.

    Under Exim Configuration Manager, I have
    Code:
    Allow weak SSL/TLS ciphers    off
    
    Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server.   on
    
    I would have thought that this would disable SSLv2. Am I doing something wrong?

    Thanks.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    514
    Likes Received:
    54
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I should have updated you sooner but I've been waiting for the next free weekly scan to see if the problem is now fixed. I believe I ran across a similar page (a thread) that described the PCI Compliance solution for Exim. I've since implemented it. I'm pretty certain it has fixed my issue. I just have to wait until my server is scanned again to see.
     
    cPanelMichael and Infopro like this.
Loading...

Share This Page