المساعد الشخصي الرقمي

مشاهدة النسخة كاملة : فايروول السي بانل CSF Firewall حل مشكلة Check dovecot weak SSL/TLS Ciphers



Rise Company
04-03-2021, 01:19
فايروول السي بانل CSF Firewall حل مشكلة Check dovecot weak SSL/TLS Ciphers
Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)

هذه المقاله هامة جدا هتوضح سبب حدوث update فى cpanel
جعل تشفير الايميلات تتوقف عن العمل بسبب التحويل من ssl الى tls

----------------------------

For some reason Dovecot reset the TLS configuration after the latest update. cPanel has opened an internal case number for this, which is CPANEL-28089. If you made changes to this value before, you'll need to roll them back to what they were before.

Version 68 of cPanel introduced new SSL ciphers to increase the security of the mail server; this enables TLS 1.2 and disables older SSL protocols such as TLS 1.0.

You can read more on this through the blog post here, TLS Changes in Version 68. TLS Changes in Version 68 | cPanel Blog (https://blog.cpanel.com/tls-changes-in-version-68/)

While cPanel makes every effort to ensure our product is as secure as possible, this does mean older operating systems and mail clients will be affected.

Due to Windows 7 being an older system, versions of Outlook (2007 & 2010) on Windows 7 can only offer TLS 1.0 and below. Microsoft did release a patch to resolve this and enable the newer protocols, TLS 1.1 and TLS 1.2. You can read more information on Microsoft's blog here: Enabling TLS 1.1 and 1.2 in Outlook on Windows 7 (https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/)

Please keep in mind this is not a defect or an issue with cPanel, but an incompatibility with outdated client software. Updating the client software to support TLS 1.2 will help maintain overall security.

There are two options to help resolve the issues you are currently facing. Please note, Option 1 is the recommended solution.

[Option 1]: (RECOMMENDED) To enable TLS 1.2 for Windows 7, you will need to patch your system to modify the registry. Be sure your system is fully updated through the update center, and then download and install the patch from Microsoft's website here: https://support.microsoft.com/en-us...-and-tls-1-2-as-a-default-secure-protocols-in (https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in)

After that is installed, be sure to reboot your local computer as well to ensure the patch was applied. Once you're back online, please try to connect to the cPanel server again.

[Option 2]: (NOT RECOMMENDED) If you must enable TLS 1.0 on the WHM/cPanel server for compatibility, then in WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings:

Ensure that "Allow weak SSL/TLS ciphers" is "Off".

Change "SSL/TLS Cipher Suite List" to (this is one long line):
====
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
====

And change "Options for OpenSSL" to:
====
+no_sslv2 +no_sslv3
====

Then "Save" at the bottom of the page.

This will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0.

For Dovecot in WHM >> Home >> Service Configuration >> Mailserver Configuration:

Change "SSL Cipher List" to (this is one long line):
====
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
====

Change "SSL Minimum Protocol" to:
====
TLS1
====

Once that is enabled, or you have fully patched your Windows install, Windows should be able to connect to the server again.

المرجع:
https://forums.cpanel.net/threads/cpanel-28089-dovecot-tls-configuration-reset-upon-update.655779/

Rise Company
04-03-2021, 01:55
I looked for everything. My server does not accept old outlook
Yes you would need to enable SSLv3 in dovecot and exim to allow old Outlook programs to connect.

Rise Company
04-03-2021, 01:57
Really old Outlook doesn't use TLS but SSLv3 - if it's that instance @GOT (https://forums.cpanel.net/members/9520/) would be correct you'd have to allow SSLv3 if you had to accept it. Which I wouldn't recommend. If it's just that it's using an older encryption method that's been deemed weak @vacancy (https://forums.cpanel.net/members/356382/)'s suggestion would be sufficient.