The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disabling insecure SSLv2 in exim SMTPs?

Discussion in 'E-mail Discussions' started by bkusnir, Dec 6, 2006.

  1. bkusnir

    bkusnir Member

    Joined:
    Aug 8, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Port 465. Anyone know how? I need to do this (and everone should) due to known cryptographic flaws in SSL 2.0 protocol and also to pass an audit test.
     
  2. justin samuel

    justin samuel Registered

    Joined:
    Mar 17, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    To limit smtps to SSLv3 and TLS, add the following to /etc/exim.conf

    Code:
    tls_require_ciphers = SSLv3:TLS
    And then restart exim.

    You can then test with the following command:

    Code:
    openssl s_client -ssl2 -connect your.hostname.com:465
    Try that using each of the following: -ssl2, -ssl3 and -tls1. It should now only work when using -ssl3 or -tls1. It should fail when you use -ssl2; you'll see something like this at the end and it will drop your connection:

    Code:
    28120:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
     
  3. justin samuel

    justin samuel Registered

    Joined:
    Mar 17, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Oh, and if you need to do the same for pop3s and imaps, edit the following two files:

    /usr/lib/courier-imap/etc/pop3d-ssl
    /usr/lib/courier-imap/etc/imapd-ssl

    and set the following in each (the directive is probably there and commented out, but you don't want to use what that one is set to):

    Code:
    TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"
    then restart courier-imap and test the same way as above, except using ports 993 and 995 instead of 465.
     
  4. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    thanks for the tip. I was able to shut it off on exim, but not on the 995/993 ports. I don't have the /usr/lib/courier... directory. How else would I find what config file is used on my system for these ports?
     
  5. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    ah... /scripts/convert2maildir
     
Loading...

Share This Page