Exim TLS configuration

lautrivta

Member
Oct 25, 2015
8
0
1
Vienna, AT
cPanel Access Level
Reseller Owner
On all smtp ports, ie 25, 465 and 587 TLS is not PCI DSS compliant

I need to remove

TLS_RSA_WITH_IDEA_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

I have to add

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256

And I have to switch off CLIENT-INITIATED SECURE RENEGOTIATION .

How this looks like as exim config lines?
 

lautrivta

Member
Oct 25, 2015
8
0
1
Vienna, AT
cPanel Access Level
Reseller Owner
Thank you Eric,

i tls_require_ciphers I have

Code:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
But my testscript (- Removed -) says two ciphers are missing for PCI DSS, which are listed above:

TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-SHA256

And I should remove non PCI DSS compliant

(102, 102, 102)]TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA

which are not listetd.


Maybe you have PCI DSS compliant tls_require_ciphers for cPanel 11.52 ?


Thank you.

Lautrivta
 
Last edited by a moderator:

lautrivta

Member
Oct 25, 2015
8
0
1
Vienna, AT
cPanel Access Level
Reseller Owner
I am waiting for a reply to my question !

It does not matter, that cPanel exim is not PCI DSS compliant in 2016?

I can't believe.

I am afraid exim in cPanel is not making use of openssl libs, right?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463