The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim TLS configuration

Discussion in 'E-mail Discussions' started by lautrivta, Mar 5, 2016.

  1. lautrivta

    lautrivta Registered

    Joined:
    Oct 25, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Vienna, AT
    cPanel Access Level:
    Reseller Owner
    On all smtp ports, ie 25, 465 and 587 TLS is not PCI DSS compliant

    I need to remove

    TLS_RSA_WITH_IDEA_CBC_SHA
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

    I have to add

    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_GCM_SHA256

    And I have to switch off CLIENT-INITIATED SECURE RENEGOTIATION .

    How this looks like as exim config lines?
     
  2. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    The easiest way to change this would be in WHM:

    WHM >> Service Configuration >> Exim Configuration Manager >> Advanced

    I think you're going to want to be around the tls_require_ciphers area.

    Thanks!
     
  3. lautrivta

    lautrivta Registered

    Joined:
    Oct 25, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Vienna, AT
    cPanel Access Level:
    Reseller Owner
    Thank you Eric,

    i tls_require_ciphers I have

    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    
    
    But my testscript (- Removed -) says two ciphers are missing for PCI DSS, which are listed above:

    TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
    TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-SHA256

    And I should remove non PCI DSS compliant

    (102, 102, 102)]TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA

    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA

    which are not listetd.


    Maybe you have PCI DSS compliant tls_require_ciphers for cPanel 11.52 ?


    Thank you.

    Lautrivta
     
    #3 lautrivta, Mar 6, 2016
    Last edited by a moderator: Mar 6, 2016
  4. lautrivta

    lautrivta Registered

    Joined:
    Oct 25, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Vienna, AT
    cPanel Access Level:
    Reseller Owner
    I am waiting for a reply to my question !

    It does not matter, that cPanel exim is not PCI DSS compliant in 2016?

    I can't believe.

    I am afraid exim in cPanel is not making use of openssl libs, right?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page