+
1 3 3
  1. #1
    Status
    Offline
      Rise Company
    Engineering and Technology
    Apr 2014
    Egypt
    4,642
    10

    CSF Firewall Check dovecot weak SSL/TLS Ciphers


    CSF Firewall Check dovecot weak SSL/TLS Ciphers
    Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)

    update cpanel
    ssl tls

    ----------------------------

    For some reason Dovecot reset the TLS configuration after the latest update. cPanel has opened an internal case number for this, which is CPANEL-28089. If you made changes to this value before, you'll need to roll them back to what they were before.

    Version 68 of cPanel introduced new SSL ciphers to increase the security of the mail server; this enables TLS 1.2 and disables older SSL protocols such as TLS 1.0.

    You can read more on this through the blog post here, TLS Changes in Version 68. TLS Changes in Version 68 | cPanel Blog

    While cPanel makes every effort to ensure our product is as secure as possible, this does mean older operating systems and mail clients will be affected.

    Due to Windows 7 being an older system, versions of Outlook (2007 & 2010) on Windows 7 can only offer TLS 1.0 and below. Microsoft did release a patch to resolve this and enable the newer protocols, TLS 1.1 and TLS 1.2. You can read more information on Microsoft's blog here: Enabling TLS 1.1 and 1.2 in Outlook on Windows 7

    Please keep in mind this is not a defect or an issue with cPanel, but an incompatibility with outdated client software. Updating the client software to support TLS 1.2 will help maintain overall security.

    There are two options to help resolve the issues you are currently facing. Please note, Option 1 is the recommended solution.

    [Option 1]: (RECOMMENDED) To enable TLS 1.2 for Windows 7, you will need to patch your system to modify the registry. Be sure your system is fully updated through the update center, and then download and install the patch from Microsoft's website here: https://support.microsoft.com/en-us...-and-tls-1-2-as-a-default-secure-protocols-in

    After that is installed, be sure to reboot your local computer as well to ensure the patch was applied. Once you're back online, please try to connect to the cPanel server again.

    [Option 2]: (NOT RECOMMENDED) If you must enable TLS 1.0 on the WHM/cPanel server for compatibility, then in WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings:

    Ensure that "Allow weak SSL/TLS ciphers" is "Off".

    Change "SSL/TLS Cipher Suite List" to (this is one long line):
    ====
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    ====

    And change "Options for OpenSSL" to:
    ====
    +no_sslv2 +no_sslv3
    ====

    Then "Save" at the bottom of the page.

    This will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0.

    For Dovecot in WHM >> Home >> Service Configuration >> Mailserver Configuration:

    Change "SSL Cipher List" to (this is one long line):
    ====
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    ====

    Change "SSL Minimum Protocol" to:
    ====
    TLS1
    ====

    Once that is enabled, or you have fully patched your Windows install, Windows should be able to connect to the server again.

    :
    https://forums.cpanel.net/threads/cp...update.655779/

    ------------------------------------------------------------------------
    Rise Company for Engineering & Technology
    ------------------------------------------------------------------------
    Web Hosting | Web Designing | E-Marketing

    # 1 Business Services

    Web Hosting - Business Emails

    Web Design - Google Adwords

    www.rise.company | www.rise.company/emails

    :
    ! .



  2. #2
    Status
    Offline
      Rise Company
    Engineering and Technology
    Apr 2014
    Egypt
    4,642
    10

    : CSF Firewall Check dovecot weak SSL/TLS Ciphers

    I looked for everything. My server does not accept old outlook
    Yes you would need to enable SSLv3 in dovecot and exim to allow old Outlook programs to connect.
    ------------------------------------------------------------------------
    Rise Company for Engineering & Technology
    ------------------------------------------------------------------------
    Web Hosting | Web Designing | E-Marketing

    # 1 Business Services

    Web Hosting - Business Emails

    Web Design - Google Adwords

    www.rise.company | www.rise.company/emails

    :
    ! .



  3. #3
    Status
    Offline
      Rise Company
    Engineering and Technology
    Apr 2014
    Egypt
    4,642
    10

    : CSF Firewall Check dovecot weak SSL/TLS Ciphers

    Really old Outlook doesn't use TLS but SSLv3 - if it's that instance @GOT would be correct you'd have to allow SSLv3 if you had to accept it. Which I wouldn't recommend. If it's just that it's using an older encryption method that's been deemed weak @vacancy's suggestion would be sufficient.
    ------------------------------------------------------------------------
    Rise Company for Engineering & Technology
    ------------------------------------------------------------------------
    Web Hosting | Web Designing | E-Marketing

    # 1 Business Services

    Web Hosting - Business Emails

    Web Design - Google Adwords

    www.rise.company | www.rise.company/emails

    :
    ! .



  1. : 0
    : 05-04-2020, 17:04
  2. : 0
    : 31-03-2020, 23:12
  3. : 0
    : 08-12-2018, 01:08
  4. : 0
    : 03-12-2018, 22:23
  5. : 0
    : 13-06-2018, 12:04