Disable TLS 1.0 on Exim4?

Hi:

I want to maintain TLSv1.2 and TLSv1.1 and disable TLSv1.0 on ports 25, 465, 587. As you known, since the 30th of June 2018, TLSv1.0 it is non-compliant with PCI DSS.

How can I achieve this ?

Thanks.

Hello and welcome to Hestia community.

Exim MTA is running on ports 25, 465, 587. I would recommend to not disable TLSv1.0 since you will definitely lose some incoming mails from older mail servers that do not currently support TLS > v1.0. Same for outgoing mails as well.

TLS 1.0 needs to be disabled for pci compliance and I am also failing due to not being able to disable it.
Exim is not allowing it to be disabled as well as setting specific cipher sets unless there is a specific code that needs to be set to not allow week ciphers.

I have everything passing except email relating to exim.
Ftp, nginx, apache all ok and don’t really want to setup a separate email vps but will probably have to.

5.0

FAIL

465

TCP

TLS Version 1.0 Protocol Detection (PCI DSS)

less…

Title

TLS Version 1.0 Protocol Detection (PCI DSS)

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Impact

The remote service accepts connections encrypted using TLS 1.0. This version of TLS is affected by multiple cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

Resolution

All processing and third party entities - including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018.

5.0

FAIL

465

TCP

SSL Weak or Medium Strength Cipher Suites Supported

less…

Title

SSL Weak or Medium Strength Cipher Suites Supported

Synopsis

The remote service supports the use of weak or medium strength SSL Ciphers.

Impact

The remote host supports the use of SSL Ciphers that offer weak or medium strength encryption. These ciphers use key lengths of less than 112 bits, or else use the 3DES encryption suite. See also: https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Resolution

Reconfigure the affected application to disable the use of weak and medium strength ciphers.

Data Received

The following ciphers are supported on the service: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

There is no need for a separate vps mail server, you need only to adjust your exim installation to your requirements. Basicly you should be able to follow one of the on google available tutorials.

Found the problem, as exim is compiled using gnutls tls the openssl cipher combinations do not work but do in apache, dovecot, and nginx. have gone from D and F scores to A and B+ so just needs a bit more tweaking.

Have passed PCI on email now with security metrics, tls 1.0 is removed as well as all non compliant and weak ciphers. :smiley:

1 Like

Great !
Can you can explain how you got it ?

Thanks

@AngeLinuX I have added this in and get PCI compliance pass at securitymetrics.com used by Braintree, have not added TLS 1.3 yet but you could do so by adding +VERS-TLS1.3 if your configuration support it.

under this line tls_advertise_hosts = * in /etc/exim4/exim4.conf.template

Add this for minimum TLS 1.2

tls_require_ciphers = SUITEB192:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:-ARCFOUR-128
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}

If you want TLS 1.1 enabled it is this for the ciphers
tls_require_ciphers = SUITEB192:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:-ARCFOUR-128
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}

You may need to tweak a little to mach your requirements, the additional details are here at gnutls

@AngeLinuX found a few issues sending emails with previous code so using this one which still passed PCI but needs further ciphers disabled for HIPAA and NIST compliance.

tls_require_ciphers = SECURE256:-ARCFOUR-128:-AES-128-CBC:-CAMELLIA-128-CBC:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2

2 Likes

In the case of Hikvison DVR, they need RSA… i use this line and all is fine:
tls_require_ciphers = PERFORMANCE:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE