> I’ve replaced the web GUI certificate (done that many times), but > the old certificate appears still to be in use for SMTP. This > certificate is now expired. > How can the MTA be configured to use the new certificate?
The community edition of the virtual appliance does not support uploading a new cert for the MTA (the pro/enterprise edition has support for this). So you, or someone else, probably uploaded and configured the cert manually. Since the underlying SMTP is postfix, it should be easy to replace the certificate. Note: in the upcoming release of the community edition we also copy the cert for the web GUI to the postfix config. > I’m using an appliance VM image (V4.3.0-1, with the latest updates), > and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites > How can those old protocols/ciphers be disabled? It should be noted that Postfix (and SMTP in general) by default provides opportunistic TLS, i.e., use TLS if available, if not connect with TLS. Disabling weak ciphers does not increase the security level if you still allow unencrypted connections (when DANE is used things are different). That said, since Postfix is used for the MTA part, you can easily disable weak ciphers. For example to disable TLS <= 1.1 add the following line to te postfix main config (main.cf) smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 The above configuration disables TLS <= 1.1 for the SMTP daemon If you would like to disable weak ciphermail for the SMTP client, use smtp_tls_mandatory_protocols Again, disabling weak ciphers might result in fallback to *no* TLS if the SMTP server you are connecting to does not support TLS >= 1.2 For more information on TLS configuration of Postfix see: http://www.postfix.org/TLS_README.html For the upcoming release of the gateway we will review the default TLS configuration. Kind regards, Martijn Brinkers -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF Messenger and Webmail Messenger On Tue, 2021-05-25 at 13:35 +0000, m.erdmann--- via Users wrote: > Hello, > > Our security department scanned the ciphermail gateway and is seeing > issues that need to be fixed: > > I’ve replaced the web GUI certificate (done that many times), but > the old certificate appears still to be in use for SMTP. This > certificate is now expired. > How can the MTA be configured to use the new certificate? > I’m using an appliance VM image (V4.3.0-1, with the latest updates), > and it is still using TLS1.0/1.1, SSLv3 and RC4 cipher suites > How can those old protocols/ciphers be disabled? > > More issues are found, but I’ll focus on these issues first. > > Met vriendelijke groet / Regards, > > Michel Erdmann >
