Hello,
I received a warning about weak ciphers on the mailserver ports (587, 465, 26, 25) with our PCI scan. I adjusted both dovecot and exim to use the hardened ciphers, but this morning I am still getting flagged for weak ciphers. I dug into the report and it's reporting the following ciphers as being present (see attachment):
AECDH-RC4-SHA
AECDH-DES-CBC3-SHA
AECDH-AES128-SHA
AECDH-AES256-SHA
RC4-MD5
RC4-SHA
AECDH-RC4-SHA
When I go into WHM and look at the cipher settings for dovecot and exim I do not see any of these ciphers listed.
Dovcot:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Exim:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
This smells like a false positive, but I don't want to assume anything in regarding to PCI. I made similar adjustments for webdisk, cpanel services, and apache but again, it's flagging the mailserver ports, not port 80 or 443.
What am I missing? TIA!
I received a warning about weak ciphers on the mailserver ports (587, 465, 26, 25) with our PCI scan. I adjusted both dovecot and exim to use the hardened ciphers, but this morning I am still getting flagged for weak ciphers. I dug into the report and it's reporting the following ciphers as being present (see attachment):
AECDH-RC4-SHA
AECDH-DES-CBC3-SHA
AECDH-AES128-SHA
AECDH-AES256-SHA
RC4-MD5
RC4-SHA
AECDH-RC4-SHA
When I go into WHM and look at the cipher settings for dovecot and exim I do not see any of these ciphers listed.
Dovcot:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Exim:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
This smells like a false positive, but I don't want to assume anything in regarding to PCI. I made similar adjustments for webdisk, cpanel services, and apache but again, it's flagging the mailserver ports, not port 80 or 443.
What am I missing? TIA!
Attachments
-
43.7 KB Views: 7