Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hi,

I run WHM / cPanel on a CentOS 6.8 Final server and I'd like to know if there's away to disable SSLv2 for exim. I am trying to make my server a bit more secure. I received an audit scan today that shows SSLv2 is enabled on port 465 and netstat -anp | grep 465 shows:
Code:
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      12314/exim
From the audit scan, I see:
Code:
This SSLv2 server does not accept SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
Recommended Solution:
Usage of weak ciphers should be avoided.
For port 443:
Code:
Here is the list of SSL ciphers supported by the remote server:
- High Strength Ciphers (>= 112-bit key)
* TLSv1 - EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 
* TLSv1 - DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 
* TLSv1 - DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 
* TLSv1 - n/a Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 
* TLSv1 - n/a Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 
* TLSv1 - n/a Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 
* TLSv1 - DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 
* TLSv1 - AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 
* TLSv1 - AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
Can I somehow create a similar setup for exim? I'm sorry if this is a really basic question. I'm still in the process of learning everything. I'm running 60.0.15 of WHM / cPanel.

Under Exim Configuration Manager, I have
Code:
Allow weak SSL/TLS ciphers    off

Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server.   on
I would have thought that this would disable SSLv2. Am I doing something wrong?

Thanks.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I should have updated you sooner but I've been waiting for the next free weekly scan to see if the problem is now fixed. I believe I ran across a similar page (a thread) that described the PCI Compliance solution for Exim. I've since implemented it. I'm pretty certain it has fixed my issue. I just have to wait until my server is scanned again to see.