Disabling insecure SSLv2 in exim SMTPs?

bkusnir

Member
Aug 8, 2003
7
0
151
Port 465. Anyone know how? I need to do this (and everone should) due to known cryptographic flaws in SSL 2.0 protocol and also to pass an audit test.
 

justin samuel

Registered
Mar 17, 2006
2
0
151
Hi,

To limit smtps to SSLv3 and TLS, add the following to /etc/exim.conf

Code:
tls_require_ciphers = SSLv3:TLS
And then restart exim.

You can then test with the following command:

Code:
openssl s_client -ssl2 -connect your.hostname.com:465
Try that using each of the following: -ssl2, -ssl3 and -tls1. It should now only work when using -ssl3 or -tls1. It should fail when you use -ssl2; you'll see something like this at the end and it will drop your connection:

Code:
28120:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
 

justin samuel

Registered
Mar 17, 2006
2
0
151
Oh, and if you need to do the same for pop3s and imaps, edit the following two files:

/usr/lib/courier-imap/etc/pop3d-ssl
/usr/lib/courier-imap/etc/imapd-ssl

and set the following in each (the directive is probably there and commented out, but you don't want to use what that one is set to):

Code:
TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"
then restart courier-imap and test the same way as above, except using ports 993 and 995 instead of 465.
 

payne

Well-Known Member
May 31, 2003
103
0
166
Seattle
thanks for the tip. I was able to shut it off on exim, but not on the 995/993 ports. I don't have the /usr/lib/courier... directory. How else would I find what config file is used on my system for these ports?