Enforce/require TLS

[cPAdminsMichael]

Hi guys,

Now my time for a question

I got a good question from a client.
According to the "new" GDPR policy in EU, companies are obligated to enforce TLS1.2 in all mail communication that includes PII from client to destination mailserver.

cPanel by default require TLS1.2 for authenticating, so the connection from client to cPanel mailserver is always encrypted with TLS1.2, but there are - to my knowledge - no feature to enforce/require TLS1.2 to the destination mailserver.

I know that you can configure Exim fx by using hosts_require_tls to require TLS for certain domains, etc. - just wondering if any of you have tried this out or have a working solution?

Thanks!

 

[cPRex]

Hey there! You're correct that most of the options in WHM handle messages being sent by users through Exim, but there isn't much for general messages coming in to the machine.

One of my colleagues and I are going to break two mailservers to see if we can replicate this - I'll post back soon once I have more details.

 

[cPRex]

While looking into this, I found that cPanel is already set up by default to only use TLS 1.2 as of version 86, so as long as you have not customized the cipher list or have enabled weak ciphers, your server will do this by default.

We have the following listed in our documentation page here: How to Update Ciphers and TLS Protocols | cPanel & WHM Documentation

"cPanel & WHM supports Transport Layer Security (TLS) protocol version 1.2 and Transport Layer Security (TLS) protocol version 1.3:
Beginning in cPanel and WHM version 86, cPanel & WHM only supports TLSv1.2 or newer. The system also enables TLSv1.2 by default."

 

[cPAdminsMichael]

Hi, Yes I know that TLS 1.2 is the default and it's enabled by default.... but... it's not forced. So users/servers are still able to SMTP in plaintext

 

[cPRex]

By default, I see this on modern cPanel servers in the WHM >> Exim Configuration Manager:

+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

so that would indicate no older versions are accepted.

Do you also have the "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" option enabled?

 

[cPAdminsMichael]

Hi,

I think you misunderstand - or maybe I'm not enough clear
I'm not talking about enforcing certain TLS/SSL versions, I'm talking about enforcing TLS/SSL in general to not allow plaintext SMTP at all.
Fx now, I'm able to do a telnet server 25 directly to a mail/cPanel server without initiating a startssl session - allowing me to send a mail via plaintext smtp... which actually is not "allowed" with GDPR in Europe.
With GDPR we'd need to enforce smtp encryption both for outgoing and incoming mails..

 

[cPRex]

Ah - thanks for that clarification. Can you check WHM >> Mailserver Configuration and change the dropdown for "Allow Plaintext Authentication" to "no" ? That should stop the behavior you're seeing.

 

[cPAdminsMichael]

But isn't that just for Dovecot and for authentication?

 

[cPRex]

That's correct, that would be just for dovecot.

When I check my personal machine, I'm not seeing the AUTH option listed after connecting with telnet:

[[email protected] ~]# telnet x.x.x.x 25
Trying x.x.x.x...
Connected to domain.com.
Escape character is '^]'.
220-host.domain.com ESMTP Exim 4.94.2 #2 Tue, 21 Sep 2021 14:46:22 -0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
ehlo
250-host.domain.com Hello test.server.com [10.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-STARTTLS
250 HELP

Without the server advertising the AUTH command, users would get an error when trying to use it:

auth login
503 AUTH command used when not advertised

so I believe that is already secured by default.