SSL - no shared cipher ??

jvdwilk

Verified User
Joined
Aug 2, 2006
Messages
20
After a recent update I find lots (too many) of errors in my exim mainlog, claiming there is no shared cipher available for setting up a SSL connection.
This is causing issues with emails for my clients not being delivered at my server.

Receiving one such message via an alternate channel, I could inspect the message headers of the message which could not be delivered at my server, and I can confirm that the sending server is supporting TLS1.2, but does not support any of the ciphers which are available by default to exim.

I have created a file /etc/exim.variables.conf.custom and inserted the following line:
Code:
tls_require_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY130:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
(copied the line from /etc/exim.variables.conf and added the last two ciphers)

This solved most of the issues, 95% less of the 'no shared cipher' messages, but still some are left in my logs.

Is there a way to find out which SSL/TLS level the failing servers are supporting, and/or which ciphers they do support from any of my log files?
And would it be an idea to be a little less restrictive on what we can support by default for ciphers in DirectAdmin / Exim ?
Or is there a good reason for not supporting ECDHE-RSA-AES128-SHA256 & ECDHE-RSA-AES256-SHA384 ??

KInd regards,
Jorge.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
792
Location
Netherlands Germany
Please check and ask your customers ( their IT for mailservers )

What they use and want, so could be more modern or even old, of old advise them updating for security reasons. ( so you have to talk there to those responsible for that IT part)

For Support here they Use OS? OS version and some more info's about versions.

You can search forum for modern settings config tls versions end more.
 

jvdwilk

Verified User
Joined
Aug 2, 2006
Messages
20
You do realize that this is about INBOUND email, from all over the world, sent TO my customers mailboxes?
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
1,304
Location
Murfreesboro
Well, it might be best to note some items about your server.
OS & version
CustomBuild version

option.conf settings in Area
#Mail Settings
exim=
eximconf=
eximconf_release=
blockcracking=
easy_spam_fighter=
spamd=
sa_update=
dovecot=
dovecot_conf=
mail_compress=
pigeonhole=

#Advanced Settings
ssl_configuration=

Maybe this is an older server with older config? Can't tell much to guide you.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
792
Location
Netherlands Germany
You do realize that this is about INBOUND email, from all over the world, sent TO my customers mailboxes?
Even then if to old or not supported things, they should update. ( NOT YOU ( putting back old stuf on server) for security reasons, but that is to you)
(I'm glad that lot of server used for spamming are using old stuff, so less spammers and hackers trying with boxes they control mostly because of such.)

But first look at above, and check if your server config is alright.
Lot of online testers for mail https://www.checktls.com/index.html#HowTo , searchning forum here you can find the main default settings for different configs.

Depending on OS and versions and so on.

If people want to mail with us minimum is tls 1.2 and secure ciphers, if not then we take no risk they can call us or use a other mailservice , i don't know if your box has good config so only saying IF.
Howto's are in help and here on forum.

See how old that rfc cipher is:
 
Last edited:

jvdwilk

Verified User
Joined
Aug 2, 2006
Messages
20
System is a bit old, but the software is pretty much up-to-date:

OS & version - CloudLinux 6 - 2.6.32-954.3.5.lve1.4.78.el6.x86_64
CustomBuild version - 2.0.0 (rev: 2496)
About 2 weeks ago ALL software has been updated to the latest versions with a yum update and through Custombuild.

option.conf settings in Area
#Mail Settings
exim=yes
eximconf=yes
eximconf_release=4.5
blockcracking=yes
easy_spam_fighter=yes
spamd=spamassassin
sa_update=daily
dovecot=yes
dovecot_conf=yes
mail_compress=no
pigeonhole=yes

#Advanced Settings
ssl_configuration=intermediate
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
1,304
Location
Murfreesboro
#Advanced Settings
ssl_configuration=intermediate
choices are ssl_configuration: modern, intermediate, old. Current value: intermediate. Default value: intermediate.

So intermediate setting is based on
dovecot
https://ssl-config.mozilla.org/#ser...fig=intermediate&openssl=1.1.1d&guideline=5.4
exim

Old would be
dovecot
exim

I have created a file /etc/exim.variables.conf.custom and inserted the following line:
You only need to do this if you want something non standard. You might compare what you want versus the 3 standard options.

other links for thought


 
Top