Actually, doing the openssl ciphers > /var/qmail/control/tlsservercipher is a starting point.
After I did that, I then ran my server through some tests. I happen to use OpenVAS [which tool you want to use to find insecure SSL connections is up to you]. It was able to tell me which ciphers to disable and why. Whichever product you use to test the SSL should be one that’s up to date [or can be brought up to date]. For example, I run the tests against my email server every week [for example, I test against port 25, 465 and 587]. In my case, I also use OpenVAS to test the HTTPS side as well. If you’re using dovecot, you will want to also put the ssl_cipher_list in /etc/dovecot/dovecot.conf as well as the ssl_protocols list. This protects your IMAPS and POP3S protocols. Again, OpenVAS is set to run against those protocols as well. Carl From: Gary Bowling [mailto:g...@gbco.us] Sent: Tuesday, September 03, 2019 03:35 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] SSL Problem Dovecot Thanks for that Carl. I'm running openssl-1.0.2k-16.el7_6.1.x86_64 Pretty much everything about my server is continuously updated stock Centos 7. Currently at CentOS Linux release 7.6.1810 (Core) I do have epel installed, which updates some things and the qmt repo. That's it, and I'm a stickler for NOT installing anything that isn't done through yum and those repos. I've done this long enough to know that it's much easier to maintain, migrate to a new server, etc. is you're running everything in a managed way. So installing the repos and doing yum installs is pretty much the only way anything ever changes on my server, sans config files. Would be very interested in knowing not only the proper tlsservercipher file for this type of server, but also how to create/recreate it if it's a command done from openssl. Looks like you can create it with the command. openssl ciphers > /var/qmail/control/tlsservercipher But what I'm reading is that your advice is to NOT do that due to security concerns. So what would you recommend? Thanks, Gary On 9/3/2019 3:28 PM, CarlC Internet Services Service Desk wrote: Your real problem is that this file is different based on which CentOS you’re on [or should I say, which openssl is loaded]. If you have CentOS 7, with openssl 1.0.2k, you can tune this file to include each cipher you want [the file can actually be 10+ lines long wrapped]. This is so you can remove all the “hacked” ciphers, especially to force your clients security to remain high. If your running openssl 0.9.x, you don’t get the newer TLS ciphers you need to be secure. Using the default is way too low, and if you do, you will where someone gets hacked over a ‘free’ WiFi connection [because you had SSL 3.0/TLS 1.0 on]. Carl From: Gary Bowling [mailto:g...@gbco.us] Sent: Tuesday, September 03, 2019 02:58 PM To: qmailtoaster-list@qmailtoaster.com <mailto:qmailtoaster-list@qmailtoaster.com> Subject: Re: [qmailtoaster] SSL Problem Dovecot So this may be an issue of the tlsserverciphers file. Some times it's interesting not knowing what your doing! haha I guess the question I have is.. What is the proper tlsserverciphers for a qmailtoaster with a letsencrypt certificate. If that even makes sense. And what is the proper way to actually do it. I've read multiple things on various forums, including here. One says to do: echo "!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL" > /var/qmail/control/tlsserverciphers One says to do: openssl ciphers 'MEDIUM:HIGH:!SSLv2:!MD5:!RC4:!3DES' > /var/qmail/control/tlsserverciphers yet another says to create a sym link to the servercert.pem file. ln -sf /var/qmail/control/servercert.pem /var/qmail/control/tlsserverciphers I guess it has to do with how tight you want security to be and maybe tlsserverciphers can contain various forms of how to define that. Just looking for what "most" people would use for an up to date Centos 7 server. Thanks, Gary On 9/3/2019 11:04 AM, Gary Bowling wrote: I had to get a new cert for my server, which I installed yesterday. Now I'm having problems with certain clients logging in. I get the following error in the dovecot.log. TLS handshaking: SSL_accept() failed: error:1408A10B:SSL routines: ssl3_get_client_hello:wrong version number Any help would be appreciated. Thanks, Gary -- ____________________ Gary Bowling ____________________ --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com <mailto:qmailtoaster-list-h...@qmailtoaster.com> --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com <mailto:qmailtoaster-list-h...@qmailtoaster.com> --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com <mailto:qmailtoaster-list-h...@qmailtoaster.com>