Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Ports 110, 995, 143, 993 TLSv1.0 are enabled?

Discussion in 'Security' started by JIKOmetrix, Mar 15, 2019.

  1. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    78
    Likes Received:
    7
    Trophy Points:
    158
    Hello,

    I am running cPanel v78.0.17 on CentOS 7.6.

    We had a PCI compliance scan in January that we passed.

    We received another scan March 8th and failed the scan.

    The scan found Ports 110, 995, 143, 993 with TLSv1.0 enabled.

    However, we have exim configured with openSSL option:
    +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

    This should force tlsv1.2 correct?

    When I looked here How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation

    Is says to just add +no_tlsv1. However, it is already there.

    Can anyone provide direction on this issue?

    I usually open a ticket for this, However, Cpanel is now pointing to my license provider for support who is being slow to respond.

    Thanks,
    Mike
     

    Attached Files:

  2. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    78
    Likes Received:
    7
    Trophy Points:
    158
    Hello,

    Maybe I am not understanding my own testing.

    I read more on the above link and See I was looking in the wrong section of WHM. I should have been looking at:
    (WHM >> Home >> Service Configuration >> Mailserver Configuration)

    and at the "SSL Minimum Protocol" section.

    I have no set this TLSv1.2

    When I test with openssl s_client -connect 192.xx.xx.xxx:995 -tls1 at the command prompted I get the following below. Does this mean this is disabled?

    Code:
    =========================
    
    [root@host76 ~]# openssl s_client -connect 192.xx.xx.xxx:995 -tls1
    
    CONNECTED(00000003)
    
    140033341241232:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
    
    ---
    
    no peer certificate available
    
    ---
    
    No client certificate CA names sent
    
    ---
    
    SSL handshake has read 0 bytes and written 0 bytes
    
    ---
    
    New, (NONE), Cipher is (NONE)
    
    Secure Renegotiation IS NOT supported
    
    Compression: NONE
    
    Expansion: NONE
    
    No ALPN negotiated
    
    SSL-Session:
    
        Protocol  : TLSv1
    
        Cipher    : 0000
    
        Session-ID:
    
        Session-ID-ctx:
    
        Master-Key:
    
        Key-Arg   : None
    
        Krb5 Principal: None
    
        PSK identity: None
    
        PSK identity hint: None
    
        Start Time: 1552657673
    
        Timeout   : 7200 (sec)
    
        Verify return code: 0 (ok)
    
    ---
    
    
     
    #2 JIKOmetrix, Mar 15, 2019
    Last edited by a moderator: Mar 15, 2019
  3. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,370
    Likes Received:
    154
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Those ports are for dovecot not exim. So you need to set the same ciphers in the mail server config area of whm.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,

    Either way that's not a successful connection. If you connect successfully you'll get the SMTP banner at the end of the transaction, similar to the following:

    Code:
    220-server.mydomain.com ESMTP Exim 4.91 #1 Fri, 15 Mar 2019 16:01:00 -0500
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    78
    Likes Received:
    7
    Trophy Points:
    158
    Hello,

    Thank you for looking. This was helpful.

    - Mike
     
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice