Phone Lines icon GFI Support Home

Articles in this section

See more

Configuring SSL and TLS Variables in Kerio Connect

Author: Vladyslav Velychko Updated

Overview

While performing SSL protocol security scans, the SMTP and email Encryption settings can be modified using mailserver.cfg file. The file allows configuring Server, Client TLS protocols, custom SSL ciphers, and Diffie-Hellman key exchange method. The following failure may appear in Mail logs:

Sending server negotiated an old and insecure TLS version, TLSv1.1, sending server will need to be upgraded to support at least TLSv1.2

Adapted settings should help in passing the Audit vulnerability assessment check.

Solution

You may need to adjust the security settings to resolve a flaw in the security protocol or to get a good security rating for your server. Kerio Connect's security variables exist in the mailserver.cfg configuration file, which is located in the Kerio Connect installation directory.

The default locations are:

Windows C:\Program Files\Kerio\MailServer
Linux /opt/kerio/mailserver
macOS /usr/local/kerio/mailserver

 

SSL/TLS Variables

 

AllowEphemeralDH

This variable enables the use of the Diffie-Hellman Ephemeral (DHE) method for key exchange.

  • The server generates a random ephemeral public key for each session, which keeps attackers from deciphering past sessions (also called forward secrecy).

  • Available in Kerio Connect 9.0.2 and above.

  • This replaces the DisableEphemeralDH variable in Kerio Connect 9.0.0 and 9.0.1.

  • Sets the DisableEphemeralDH to 0 to enable DHE.

  • The default value is 1.

  • This variable should be modified in both Security and SmtpSecurity tables.

 

back to list 

 

EphemeralDHParamSize

This variable sets the size of DHE to 2048(1024 for SMTP services).

Ensure that the DisableEphemeralDH variable is enabled.

  • Supported values are 1024, 2048, or 4096.

  • The default value is 0.

  • This variable should be modified in both Security and SmtpSecurity tables.

 

back to list 

 

AllowEphemeralECDH

This variable enables the ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) method for key exchange.

  • The server generates a random ephemeral public key for each session, which keeps attackers from deciphering past sessions (also called forward secrecy).

  • ECDHE is more efficient than DHE and uses shorter keys.

  • The default value is 1.

  • This variable should be modified in both Security and SmtpSecurity tables.

 

back to list 

 

SSLDontInsertEmptyFragments

This variable disables the OpenSSL workaround for the CVE-2011-3389 vulnerability.

  • If you set the variable to 0, some older implementations of SSL may not connect to the Kerio Connect servers.

  • Available in Kerio Connect version 9 and above.

  • The default value is 1.

  •  This variable should be modified in both Security and SmtpSecurity tables.

 

back to list 

 

ServerTlsProtocols

This variable changes the SSL/TLS protocols used by Kerio Connect.

Note: starting from Kerio Connect 9.3.0, TLSv1.3 is supported.

  • Leave the variable empty to use a default set of SSL/TLS protocols:

    • TLSv1

    • TLSv1.1

    • TLSv1.2

  • List the protocol names (separated by commas) in the variable to use a custom set of protocols.

    Example

    <variablename="ServerTlsProtocols">SSLv3,TLSv1,TLSv1.1,TLSv1.2</variable>

  • This variable should be modified in both Security and SmtpSecurity tables.

    mceclip0.png

 

back to list 

 

ServerTlsCiphers

Kerio Connect uses this cipher list.

  • Leave the variable empty to use a default cipher list: 

    AESGCM:HIGH:+EDH-RSA-DES-CBC3-SHA:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA
  • To use a custom cipher list, type the cipher list in the matching variable from the OpenSSL manual page (i.e., the first weak cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384).

    Note: In the OpenSSL site, the cipher is equal to the ECDHE-RSA-AES256-SHA384 value.

  • Modify the server and the Client TLS cipher variables to delete the cipher from the list permanently.

    ServerTlsCiphers and ClientTlsCiphers will be the following:

    <variable name="ServerTlsCiphers">AESGCM:HIGH:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA:!ECDHE-RSA-AES256-SHA384</variable>
    <variable name="ClientTlsCiphers">AESGCM:HIGH:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA:!ECDHE-RSA-AES256-SHA384</variable>
    ! (exclamation point) permanently deletes a cipher from the list's Security and SmtpSecurity tables
    + (plus sign) moves a cipher to the end of the list
    - (minus sign) excludes a cipher from the list (can be overwritten by the next ciphers)

  • This variable should be modified in both Security and SmtpSecurity tables.

 

back to list 

 

ClientTlsProtocols

The ClientTlsProtocols are the SSL/TLS protocols used when Kerio Connect acts as a client (i.e., when sending messages via SMTP or receiving messages via POP3).

Note: starting from Kerio Connect 9.3.0, TLSv1.3 is supported.

  • Leave the variable empty to use a default set of SSL/TLS protocols: 

    • TLSv1

    • TLSv1.1

    • TLSv1.2

  • To use a custom set of protocols, list the protocol names (separated by commas) in the variable.

    Example:

    <variable name="ClientTlsProtocols">SSLv3,TLSv1,TLSv1.1,TLSv1.2</variable>

 

back to list 

 

ClientTlsCiphers

ClientTlsCiphers refers to the client cipher list.

  • Leave the variable empty to use a default cipher list.

  • To use a custom cipher list, type the cipher list in the variable. Refer to the steps outlined in the ServerTlsCiphers variable.

 

back to list 

 

PreferServerCipherOrder

This variable allows Kerio Connect to decide which cipher set to use regardless of the client's preferences.

  • The default value is 1.

  • This variable should be modified in both Security and SmtpSecurity tables.

 

Here is an example of the mailserver.cfg settings, which includes the variables listed above:

mceclip1.png

 

back to top

Additional Information

 

  • Test the SSL/TLS settings by using the SSL Labs website.

  • List all strong ciphers by running the standard OpenSSL command:

    openssl ciphers 'HIGH:!aNULL:!MD5'

  • The Google Chrome browser might have some compatibility issues with OCSP (Online Certificate Status Protocol) stapling. To resolve compatibility issues, configure the SSL Certificate Authority with Certificate Transparency = Yes.

    If it has not been set, Google Chrome might show a Not Secure website message.

    mceclip2.png

 

back to top

Verification

Once the SSL/TLS configuration has been changed, it is recommended to run the OpenSSL s_client validation commands from the Linux/macOS machine.

  • For example, to check if the server supports TLSv1.2, please run the following command:

    openssl s_client -connect <domain>:<port> -tls1_2

  • The successful output will be similar to the following:

    tls1_2_openssl.png

For more information about different commands, you can refer to the official OpenSSL documentation or the OpenSSL s_client Commands third-party reference documentation.

Note: Results from MxToolbox might not always be accurate or updated.

 

Related Articles

Changing Kerio Connect SSL/TLS Configuration

Resetting Kerio Connect SSL/TLS Configuration

back to top

Related articles