Exim TLS configuration

lautrivta · Mar 5, 2016

On all smtp ports, ie 25, 465 and 587 TLS is not PCI DSS compliant

I need to remove

TLS_RSA_WITH_IDEA_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

I have to add

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256

And I have to switch off CLIENT-INITIATED SECURE RENEGOTIATION .

How this looks like as exim config lines?

Eric · Mar 5, 2016

Howdy,

The easiest way to change this would be in WHM:

WHM >> Service Configuration >> Exim Configuration Manager >> Advanced

I think you're going to want to be around the tls_require_ciphers area.

Thanks!

lautrivta · Mar 6, 2016

Thank you Eric,

i tls_require_ciphers I have

Code:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

But my testscript (- Removed -) says two ciphers are missing for PCI DSS, which are listed above:

TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-SHA256

And I should remove non PCI DSS compliant

(102, 102, 102)]TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA

which are not listetd.

Maybe you have PCI DSS compliant tls_require_ciphers for cPanel 11.52 ?

Thank you.

Lautrivta

lautrivta · Mar 8, 2016

I am waiting for a reply to my question !

It does not matter, that cPanel exim is not PCI DSS compliant in 2016?

I can't believe.

I am afraid exim in cPanel is not making use of openssl libs, right?

cPanelMichael · Mar 9, 2016

Hello

Could you attach an image of what your PCI Compliance scan is reporting? You may find the following thread helpful, as other users have reported the cipher entries they are using for Exim:

I need to disable TLS v1.0

This document is also available:

PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
T	SOLVED exim sending problem - "a TLS session is required, but the server did not offer TLS support"	Email	11	Jul 28, 2022
B	How do I disable TLS v1.0 and v1.1 on Exim?	Email	3	Jun 2, 2022
V	SOLVED SSL/TLS Cipher Suite List option in EXIM config has no effect	Email	5	Nov 2, 2020
J	Forcing TLS to and from a specific domain in Exim	Email	1	Aug 14, 2017
D	Problems with Exim mailserver and TLS	Email	3	Jul 12, 2017

Search

Search

Exim TLS configuration

lautrivta

Member

Eric

Well-Known Member

lautrivta

Member

lautrivta

Member

cPanelMichael

Administrator