Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Exim TLS configuration

Discussion in 'E-mail Discussion' started by lautrivta, Mar 5, 2016.

  1. lautrivta

    lautrivta Member

    Joined:
    Oct 25, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Vienna, AT
    cPanel Access Level:
    Reseller Owner
    On all smtp ports, ie 25, 465 and 587 TLS is not PCI DSS compliant

    I need to remove

    TLS_RSA_WITH_IDEA_CBC_SHA
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

    I have to add

    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_GCM_SHA256

    And I have to switch off CLIENT-INITIATED SECURE RENEGOTIATION .

    How this looks like as exim config lines?
     
  2. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    751
    Likes Received:
    11
    Trophy Points:
    143
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    The easiest way to change this would be in WHM:

    WHM >> Service Configuration >> Exim Configuration Manager >> Advanced

    I think you're going to want to be around the tls_require_ciphers area.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. lautrivta

    lautrivta Member

    Joined:
    Oct 25, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Vienna, AT
    cPanel Access Level:
    Reseller Owner
    Thank you Eric,

    i tls_require_ciphers I have

    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    
    
    But my testscript (- Removed -) says two ciphers are missing for PCI DSS, which are listed above:

    TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
    TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-SHA256

    And I should remove non PCI DSS compliant

    (102, 102, 102)]TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA

    which are not listetd.


    Maybe you have PCI DSS compliant tls_require_ciphers for cPanel 11.52 ?


    Thank you.

    Lautrivta
     
    #3 lautrivta, Mar 6, 2016
    Last edited by a moderator: Mar 6, 2016
  4. lautrivta

    lautrivta Member

    Joined:
    Oct 25, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Vienna, AT
    cPanel Access Level:
    Reseller Owner
    I am waiting for a reply to my question !

    It does not matter, that cPanel exim is not PCI DSS compliant in 2016?

    I can't believe.

    I am afraid exim in cPanel is not making use of openssl libs, right?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,660
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice