SHA1 - You should consider using SHA 256 or higher mail port 25, 465 and 587

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,558
Location
Netherlands Germany
Sorry i did a search but found not the answer.. to many hits not showing me the right direction... :(
Mailcheck found this problem how to change SHA1 there to SHA384 if better then SHA256?

DA 1.52, Custombuild2, PLUGIN API custombuild latest,

Dovecot, EXIM, Apache. CENTOS 7.4.x

So how to change afterwards the hash for mail

SHA1 - You should consider using SHA 256 or higher mail port 25, 465 and 587


The ports: 110, 995, 993, 143

Are all using SSL Hash Algorithm: SHA 384 , so thats OK!
 
Last edited:
Hello,

If you're using a paid SSL cert with SHA1 then you need to re-issue it. Contact your SSL-issuer company for more details.

If you and/or intermediate cert with
SHA1 then you need to download a new one with SHA2+. Contact your SSL-issuer company for more details.
 
Thanks

BUT was only with mail on the mentioned 3 ports 25, 465 and 587 testing with a mailtester for weakciphers.

It is solved with my second post, so the defaults exim,dovecot, directadmin,custombuild,spam.. newest versions had give me these error, after latest updates agian.
I did had the eror before, but didn't remember how i solved it, ( not using custom that time)

Now after changed custom to the right cipher as described no problems anymore.

Only asking if this was the right way to do it therefore the ??? posted behind


It was hard to find with searching because a lot of to old results.... :(


Letsencrypt is on hostname, hostname is mailserver (MX) for all domains.

testing with https://www.unlocktheinbox.com/mail-tester/ give 0 warnings and 0 criticals.
- SSL Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
- SMTP Banner Reverse DNS Check: Passed
- SSL Valid: Certificate is Valid
- SSL Protocol Used: TLS 1.2
- SSL Cipher Algorithm: AES 256
- SSL Hash Algorithm: SHA 384
- SSL Exchange Algorithm: ECDH
- SSL Key Size: 4096
- SSLv3 Disabled: Yes


and also green with https://ssl-tools.net/mailservers

and 10/10 with https://www.mail-tester.com/

and 80% with while no dnssec and dane ( i hate both ;) ) https://internet.nl mailtest
 
Last edited:
Back
Top