How do I disable TLS v1.0 and v1.1 on Exim?

B

budiantoip

Registered
Jun 2, 2022
3
1
3
Indonesia
cPanel Access Level
Website Owner
When I ran this command in my terminal:
openssl s_client -connect www.domain.com:465 -tls1

and it displayed this output:
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: B4C5934D812CAE5460DF87317C1AD76EF0998DD7B228EB631477DCB831B8
Session-ID-ctx:
Master-Key: F7D4F5FF850193E9C746AF3B59AE5B06892805AFC6528F82389684989441156D011FFB79D2D6E653C2ED4E568961
Start Time: 1654225000
Timeout : 7200 (sec)
Verify return code: 0 (ok)

Which I believe TLSv1.0 is enabled.

Currently the SSL protocols used by Exim are these:
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

Should I change it to:
+no_sslv2 +no_sslv3 +no_tlsv1_2 +no_tlsv1_3
Or to:
+no_sslv2 +no_sslv3

How do I know the possible values for these protocols on Exim? And is it safe to completely remove the TLS v1.0 and TLS v1.1?
 
Last edited by a moderator:
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
15,248
2,423
363
cPanel Access Level
Root Administrator
Hey there! From our documentation here:

Mailserver Configuration | cPanel & WHM Documentation

This interface allows you to configure the POP3 and IMAP protocols that the Dovecot mail servers use.
docs.cpanel.net docs.cpanel.net

Code: 
    cPanel & WHM only supports TLSv1.2 or newer. The system enables TLSv1.2 by default.
    Not all clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
I specifically linked the version 86 page of the documentation to show that's been in place for several years.

For reference, here are the default ciphers in WHM >> Mailserver Configuration:

Code: 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Code: 
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default
 
  • Like
Reactions: budiantoip
B

budiantoip

Registered
Jun 2, 2022
3
1
3
Indonesia
cPanel Access Level
Website Owner
cPRex said:
Hey there! From our documentation here:

Mailserver Configuration | cPanel & WHM Documentation

This interface allows you to configure the POP3 and IMAP protocols that the Dovecot mail servers use.
docs.cpanel.net docs.cpanel.net

Code: 
    cPanel & WHM only supports TLSv1.2 or newer. The system enables TLSv1.2 by default.
    Not all clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
I specifically linked the version 86 page of the documentation to show that's been in place for several years.

For reference, here are the default ciphers in WHM >> Mailserver Configuration:

Code: 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Code: 
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default
Click to expand...
Awesome, thank you!
 
  • Like
Reactions: cPRex
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M What is __cpanel__service__auth__exim__ And where can I check/disable/authenticate it. Email 4
M Disable Email ports for domains with no email access Email 3
B SOLVED How to disable "AutoSSL certificate installed!" emails? Email 10
M Disable/rectrict email sending from web apps for certain accounts Email 5
M How to disable indivual account email. Email 6
Similar threads
What is __cpanel__service__auth__exim__ And where can I check/disable/authenticate it.
Disable Email ports for domains with no email access
SOLVED How to disable "AutoSSL certificate installed!" emails?
Disable/rectrict email sending from web apps for certain accounts
How to disable indivual account email.
Top Bottom