Lack of support for “new” protocols (like TLS v1.2+)

[ikkeben]

EDIT:
A test with DA box on intermediate, moderate ( i don't know by head) or so (not modern) setting gives

"Lack of support for “new” protocols (like TLS v1.2+)"

Howto have with that setting ( or even modern) the TLS v1.2+
Enable use of the TLS v1.2 together with strong NIST-recommended ciphers. ?

Also a howto this one for the mailserver DA box?
Enable SMTP MTA Strict Transport Security for your domain.

So, while SMTP MTA STS is not perfect, it does significantly reduce the range of possible attacks on TLS-secured email transmissions while also encouraging email providers to make sure that their SMTP TLS support is well configured.

What Level of SSL or TLS is Required for HIPAA Compliance?

SSL and TLS are not monolithic encryption entities that you use or do not use to securely connect to email servers, websites, and other systems. SSL and TLS are evolving protocols with many nuances…

luxsci.com

Recommended Ciphers for HIPAA and TLS v1.2+


TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-CCMHE-RSA-AES128-CCMHE-RSA-AES256-CCM8HE-RSA-AES128-CCM8H-RSA-AES256-GCM-SHA384H-RSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256

One thing that is interesting to note is that there are many ciphers included in this list that are not 256-bit. E.g., 128bit AES is allowed for HIPAA and for high-security government use. We often hear people stating that 256-bit encryption is a requirement of HIPAA … it is not (that answer is “too simple” — it comes down to which specific algorithms are used, for example).

 

[warg]

Hello!

A test with DA box on moderate setting gives

Do you mean "modern" (not moderate)? If so, "modern" SSL configuration in CustomBuild will enforce TLS 1.3. This does work at least on Debian 11 according to my experience.

I think this thread might be relevant for you because you could face the same issue as me if you or your clients use Outlook as their email client:

Email account can't be added in Outlook

Hello, I can log in to Roundcube and send/receive emails successfully. Now I tried to add my admin@ account as an IMAP account to my Windows Outlook client. I took the ports and SSL/security information from...

forum.directadmin.com

Edit: Nevermind, I didn't notice that it's you and thus that you know the other thread already . . .

 

[ikkeben]

@warg I did test because of your outlook problem, then i did see OUTLOOK.com has tls 1.2+ ciphers and SMTP MTA STS

But DA box doesn't
I mean a test on DA box with settings not the modern only tls 1.3 but the one below intermediate or moderate ( don't know the term know sorry)

Is failing for the tls 1.2+ ciphers if testing. ( not for tls 1.3)

And also has no SMTP MTA STS

So for both if is is not served by DA default then howto's / , manuals needed!
for this:
Recommended Ciphers for HIPAA and TLS v1.2+

and

SMTP MTA STS

 

[Nickske00]

I'm not sure what you are refering to for the recommended ciphers? I did the test on the site and got an A, just a normal DA box with ssl_configuration on intermediate...

For SMTP MTA STS;
One google query brought me here, https://www.mailhardener.com/kb/mta-sts I think you should be able to set it up by reading this.

 

[ikkeben]

I'm not sure what you are refering to for the recommended ciphers? I did the test on the site and got an A, just a normal DA box with ssl_configuration on intermediate...

For SMTP MTA STS;
One google query brought me here, https://www.mailhardener.com/kb/mta-sts I think you should be able to set it up by reading this.

No it is not a A only B https://luxsci.com/smtp-tls-checker

Also no secureline ?

TLS v1.2 + Good Ciphers?	No

LuxSci SecureLine Compatability?	No

3 DA boxes 2 with Alma one with Centos 7 x default intermediate

So then a howto or why this could be a B where it shouldn't ?
Other please do same test maybe it is only me?

And not asking for links on other sites but for the DOCS HOWTO DA CP itself.

But OK thanks for link.

 

[Nickske00]

When I use the 'Recommended Ciphers for HIPAA and TLS v1.2+' list I no longer have support for tls 1.2 for some reason... And setting up smtp mta sts is a five minute job. I doubt DA will start supporting this out of the box..

 

[ikkeben]

When I use the 'Recommended Ciphers for HIPAA and TLS v1.2+' list I no longer have support for tls 1.2 for some reason... And setting up smtp mta sts is a five minute job. I doubt DA will start supporting this out of the box..

No i don't mean out of the box i mean a howto and docs in help and docs for DA support.

Also for that i don't see DA docs or help

LuxSci SecureLine Compatability?	Yes

 

[Nickske00]

LuxSci SecureLine is only possible if you only support the ciphers they want I think. Not sure, but this is something from a company so you should ask them to be sure...

 

[ikkeben]

LuxSci SecureLine is only possible if you only support the ciphers they want I think. Not sure, but this is something from a company so you should ask them to be sure...

Ok i don't understand while some tests has that secure line ok , where not from that company, but maybe then the mx is gmail, outlook or so .

For other things i only copy paste the test result in the Topic start ( lack of and so).

In my opionion for those more basic things there should be easy to find help and docs from Directadmin , and yes maybe some setting to switch on or of or even extend.

Now you have only few settings, but harder to change manage those in a simple overview in the the DA CP panel GUI.
And the docs help not here of hard to find.

I also think related stuff is better to have it in the DA docs / help to be more sure for consistent and secure info's .