March 21, 2006

This post is meant to save others time in finding a solution for the above.  Since the solution isn’t documented anywhere on the Internet, it was a matter of trial and error before QualysGuard passed a server scan (for a friend) with no level 3 vulnerabilities (port 25 over SSL).

First of all, some background information.  By default, QMail configured with TLS support uses a default set of OpenSSL ciphers:ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH

The @STRENGTH keyword sorts the ciphers by strength.

Qualys does not consider SSLv2 ciphers to be fairly strong, due to various vulnerabilities, nor does it permit anonymous authentication ciphers.

The solution is to create two files containing a modified set of ciphers:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

The files that must be created are ‘/var/qmail/control/tlsserverciphers’ and ‘/var/qmail/control/tlsclientciphers’.

Restart QMail and voila, your QMail server is now configured to use strong ciphers that Qualys will approve of :)

Add your own comment or set a trackback

Currently 3 comments

  1. Comment by Avinesh

    However, if you ARE using IMAP or POP3 over SSL with TLS, I would recommend updating the aforementioned files to use the strong TLS cipher set mentioned in the blog post.

  2. Comment by Avinesh

    Sorry for the long delay.

    1. The key is to edit /etc/courier-imap/imapd-ssl.
    2. Look for the following two lines:
    IMAPDSSLSTART=YES
    IMAPDSTARTTLS=YES
    3. Change those lines to read NO.
    4. Edit /etc/courier-imap/pop3d-ssl in the same manner.
    5. Restart the courier-imap daemon: service courier-imap restart
    6. Voila, fixed :-)

  3. Comment by Ian

    Thanks for posting this. I managed to reduce some of the level 3 warning on my Qualys check after this.

    How did you get rid of any port 993/995’s warnings?

Add your own comment



Follow comments according to this article through a RSS 2.0 feed