SSLv3 Qmail Problem

Created:

2016-11-16 13:22:00 UTC

Modified:

2017-08-08 13:15:41 UTC

1

Was this article helpful?


Have more questions?

Submit a request

SSLv3 Qmail Problem

Applicable to:

  • Plesk 12.5 for Linux

Question

Even though SSLv3 support is disabled in QMail control file /var/qmail/control/tlsserverciphers :

# cat /var/qmail/control/tlsserverciphers
ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM

Checking example.com domain with resource https://ssl-tools.net/mailservers/ shows:

Weak algorithms supports RSA_WITH_RC4_128_SHA SSLv3

Why?

Answer

While SSLv3 is being disabled, it is not possible to disable SSLv3 cipher suites as there is no such thing, all SSLv3 cipher suites are used also by all TLS versions (TLS 1.1/1.2 just adds some new ones). So if configuration file excludes ciphersuite SSLv3, support for TLSv1.0 will be removed too. That leaves ciphersuite TLSv1.2 only since support for SSLv2 has also been removed:

To adjust QMail security and pass test by ssl-tools.net tool perform the following:

  1. Put the following into /var/qmail/control/tlsserverciphers :

    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  2. Restart QMail service

    # service qmail restart
Have more questions? Submit a request
Please sign in to leave a comment.