Enforce/require TLS
Hi guys,
Now my time for a question :)
I got a good question from a client.
According to the "new" GDPR policy in EU, companies are obligated to enforce TLS1.2 in all mail communication that includes PII from client to destination mailserver.
cPanel by default require TLS1.2 for authenticating, so the connection from client to cPanel mailserver is always encrypted with TLS1.2, but there are - to my knowledge - no feature to enforce/require TLS1.2 to the destination mailserver.
I know that you can configure Exim fx by using
to require TLS for certain domains, etc. - just wondering if any of you have tried this out or have a working solution? Thanks! ;)
hosts_require_tlsto require TLS for certain domains, etc. - just wondering if any of you have tried this out or have a working solution? Thanks! ;)
-
Hey there! You're correct that most of the options in WHM handle messages being sent by users through Exim, but there isn't much for general messages coming in to the machine. One of my colleagues and I are going to break two mailservers to see if we can replicate this - I'll post back soon once I have more details. 0 -
While looking into this, I found that cPanel is already set up by default to only use TLS 1.2 as of version 86, so as long as you have not customized the cipher list or have enabled weak ciphers, your server will do this by default. We have the following listed in our documentation page here: How to Update Ciphers and TLS Protocols | cPanel & WHM Documentation "cPanel & WHM supports Transport Layer Security (TLS) protocol version 1.3: Beginning in cPanel and WHM version 86, cPanel & WHM only supports TLSv1.2 or newer. The system also enables TLSv1.2 by default." 0 -
Hi, Yes I know that TLS 1.2 is the default and it's enabled by default.... but... it's not forced. So users/servers are still able to SMTP in plaintext :) 0 -
By default, I see this on modern cPanel servers in the WHM >> Exim Configuration Manager: +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
so that would indicate no older versions are accepted. Do you also have the "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" option enabled?0 -
Hi, I think you misunderstand - or maybe I'm not enough clear :) I'm not talking about enforcing certain TLS/SSL versions, I'm talking about enforcing TLS/SSL in general to not allow plaintext SMTP at all. Fx now, I'm able to do a telnet server 25
directly to a mail/cPanel server without initiating a startssl session - allowing me to send a mail via plaintext smtp... which actually is not "allowed" with GDPR in Europe. With GDPR we'd need to enforce smtp encryption both for outgoing and incoming mails..0 -
Ah - thanks for that clarification. Can you check WHM >> Mailserver Configuration and change the dropdown for "Allow Plaintext Authentication" to "no" ? That should stop the behavior you're seeing. 0 -
But isn't that just for Dovecot and for authentication? 0 -
That's correct, that would be just for dovecot. When I check my personal machine, I'm not seeing the AUTH option listed after connecting with telnet: [root@10-0-0-1 ~]# telnet x.x.x.x 25 Trying x.x.x.x... Connected to domain.com. Escape character is '^]'. 220-host.domain.com ESMTP Exim 4.94.2 #2 Tue, 21 Sep 2021 14:46:22 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. ehlo 250-host.domain.com Hello test.server.com [10.0.0.1] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP
Without the server advertising the AUTH command, users would get an error when trying to use it:auth login 503 AUTH command used when not advertised
so I believe that is already secured by default.0
Please sign in to leave a comment.
Comments
8 comments