Ports 110, 995, 143, 993 TLSv1.0 are enabled?

JIKOmetrix

• March 15, 2019 08:39

Hello, I am running cPanel v78.0.17 on CentOS 7.6. We had a PCI compliance scan in January that we passed. We received another scan March 8th and failed the scan. The scan found Ports 110, 995, 143, 993 with TLSv1.0 enabled. However, we have exim configured with openSSL option: +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 This should force tlsv1.2 correct? When I looked here How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation Is says to just add +no_tlsv1. However, it is already there. Can anyone provide direction on this issue? I usually open a ticket for this, However, Cpanel is now pointing to my license provider for support who is being slow to respond. Thanks, Mike

• 

  JIKOmetrix

  • March 15, 2019 13:50

  Hello, Maybe I am not understanding my own testing. I read more on the above link and See I was looking in the wrong section of WHM. I should have been looking at: (WHM >> Home >> Service Configuration >> Mailserver Configuration) and at the "SSL Minimum Protocol" section. I have no set this TLSv1.2 When I test with openssl s_client -connect 192.xx.xx.xxx:995 -tls1 at the command prompted I get the following below. Does this mean this is disabled? ========================= [root@host76 ~]# openssl s_client -connect 192.xx.xx.xxx:995 -tls1 CONNECTED(00000003) 140033341241232:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1552657673 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
  

  0
• 

  GOT

  • March 15, 2019 14:02

  Those ports are for dovecot not exim. So you need to set the same ciphers in the mail server config area of whm.

  0
• 

  cPanelLauren

  • March 15, 2019 21:02

  Hello, Either way that's not a successful connection. If you connect successfully you'll get the SMTP banner at the end of the transaction, similar to the following: 220-server.mydomain.com ESMTP Exim 4.91 #1 Fri, 15 Mar 2019 16:01:00 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
  

  0
• 

  JIKOmetrix

  • March 15, 2019 23:48

  Hello, Thank you for looking. This was helpful. - Mike

  0

Please sign in to leave a comment.