SSL Ciphers for Exim/Dovecot not up to date

E

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
913
Location
🇳🇱
I am using the default SSL ciphers for Exim & Dovecot described here;

https://help.directadmin.com/item.php?id=571

Code: 
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

When I'm testing the e-mail ssl configuration I am getting the message that insecure or weak ciphers are used (RC4):

ECDHE_RSA_WITH_RC4_128_SHA
RSA_WITH_RC4_128_SHA
Click to expand...

My question is now: what are the recommended (modern) ciphers we can use with Exim & Dovecot?
 
Unless you have a very heavy customization in your exim.conf i would highly suggest to let Custombuild manage your exim.conf , that way, you should have everything always up2date.

Best regards
 
My exim.conf and the dovecot ssl.conf are up to date and managed by CustomBuild, and I have the same ciphers as described on the DA FAQ page. But the problem is with these default DA ciphers I am getting the warning that obsolete and insecure ciphers are used, the RC4 ones. Looking at the Dovecot SSL FAQ page they suggest different ciphers;

http://wiki.dovecot.org/SSL/DovecotConfiguration

Code: 
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

Going to try these out to see if the warning goes away.
 
Hi,

I found the following site: https://cipherli.st/

Changing exim to use tls_require_ciphers = AES128+EECDH:AES128+EDH fixed your test.
But I have no idea what generation clients won't be able to connect anymore because of this (so i rolled back to the default).

regards,
Stijn
 
The modern ciphers will cause issues on most clients. Sadly users tend to use old software... i.e. Outlook 2007 gave issues with the modern ciphers. It's been a while but I believe that client also refused a 4096 dh parameter length which is adviced by cipherli.st for dovecot.
 
Thanks Stijn for your update :). I opened a ticket to DA Support if they can look into this. No one should be using the very old RC4 cipher :)
 
For dovecot, use:
Code: 
cd /usr/local/directadmin/custombuild
mkdir -p custom/dovecot/conf
cp configure/dovecot/conf/ssl.conf custom/dovecot/conf/ssl.conf
./build dovecot_conf
then swap out the ssl_cipher_list line as desired.

Like exim, we can adjust the default after it gets some time to simmer in the real world :)

John
 
DirectAdmin Support said:
I'll hold off on making the above default cipher change just yet, so please report back if you're noticing anything being blocked due to invalid ciphers.
I'll also test in our or live test box to also see how it goes.
Click to expand...

To be honest, i've reverted the cipher after testing. I only have a production server, and no time to debug when clients can't connect.

I don't think the single cipher would be enough to still allow all clients to connect, when Apache needs a long list to accommodate the slightly older "modern" browsers.

regards,
Stijn
 
New SpamBlocker 4.5.0 with these customizations are working great here :) I changed ssl.conf to;

Code: 
ssl = required
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_prefer_server_ciphers = yes
 
You must log in or register to reply here.
Back
Top