Overview
While performing SSL protocol security scans, the SMTP and email Encryption settings can be modified using mailserver.cfg file. The file allows configuring Server, Client TLS protocols, custom SSL ciphers, and Diffie-Hellman key exchange method. The following failure may appear in Mail logs:
Sending server negotiated an old and insecure TLS version, TLSv1.1, sending server will need to be upgraded to support at least TLSv1.2
Adapted settings should help in passing the Audit vulnerability assessment check.
Solution
You may need to adjust the security settings to resolve a flaw in the security protocol or to get a good security rating for your server. Kerio Connect's security variables exist in the mailserver.cfg configuration file, which is located in the Kerio Connect installation directory.
The default locations are:
Windows | C:\Program Files\Kerio\MailServer |
Linux | /opt/kerio/mailserver |
macOS | /usr/local/kerio/mailserver |
SSL/TLS Variables
This variable enables the use of the Diffie-Hellman Ephemeral (DHE) method for key exchange.
-
The server generates a random ephemeral public key for each session, which keeps attackers from deciphering past sessions (also called forward secrecy).
-
Available in Kerio Connect 9.0.2 and above.
-
This replaces the DisableEphemeralDH variable in Kerio Connect 9.0.0 and 9.0.1.
-
Sets the DisableEphemeralDH to
0
to enable DHE. -
The default value is
1
. -
This variable should be modified in both Security and SmtpSecurity tables.
This variable sets the size of DHE to 2048
(1024
for SMTP services).
Ensure that the DisableEphemeralDH variable is enabled.
-
Supported values are
1024
,2048
, or4096
. - The default value is
0
. -
This variable should be modified in both Security and SmtpSecurity tables.
This variable enables the ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) method for key exchange.
-
The server generates a random ephemeral public key for each session, which keeps attackers from deciphering past sessions (also called forward secrecy).
-
ECDHE is more efficient than DHE and uses shorter keys.
-
The default value is
1
. -
This variable should be modified in both Security and SmtpSecurity tables.
This variable disables the OpenSSL workaround for the CVE-2011-3389 vulnerability.
-
If you set the variable to
0
, some older implementations of SSL may not connect to the Kerio Connect servers. -
Available in Kerio Connect version 9 and above.
-
The default value is
1
. -
This variable should be modified in both Security and SmtpSecurity tables.
This variable changes the SSL/TLS protocols used by Kerio Connect.
Note: starting from Kerio Connect 9.3.0, TLSv1.3 is supported.
- Leave the variable empty to use a default set of SSL/TLS protocols:
-
TLSv1
-
TLSv1.1
-
TLSv1.2
-
-
List the protocol names (separated by commas) in the variable to use a custom set of protocols.
Example:
<variablename="ServerTlsProtocols">SSLv3,TLSv1,TLSv1.1,TLSv1.2</variable>
-
This variable should be modified in both Security and SmtpSecurity tables.
Kerio Connect uses this cipher list.
-
Leave the variable empty to use a default cipher list:
AESGCM:HIGH:+EDH-RSA-DES-CBC3-SHA:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA
- To use a custom cipher list, type the cipher list in the matching variable from the OpenSSL manual page (i.e., the first weak cipher:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
).Note: In the OpenSSL site, the cipher is equal to the
ECDHE-RSA-AES256-SHA384
value. -
Modify the server and the Client TLS cipher variables to delete the cipher from the list permanently.
ServerTlsCiphers and ClientTlsCiphers will be the following:
<variable name="ServerTlsCiphers">AESGCM:HIGH:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA:!ECDHE-RSA-AES256-SHA384</variable>
<variable name="ClientTlsCiphers">AESGCM:HIGH:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA:!ECDHE-RSA-AES256-SHA384</variable>
!
(exclamation point)permanently deletes a cipher from the list's Security and SmtpSecurity tables +
(plus sign)moves a cipher to the end of the list -
(minus sign)excludes a cipher from the list (can be overwritten by the next ciphers) -
This variable should be modified in both Security and SmtpSecurity tables.
The ClientTlsProtocols are the SSL/TLS protocols used when Kerio Connect acts as a client (i.e., when sending messages via SMTP or receiving messages via POP3).
Note: starting from Kerio Connect 9.3.0, TLSv1.3 is supported.
-
Leave the variable empty to use a default set of SSL/TLS protocols:
-
TLSv1
-
TLSv1.1
- TLSv1.2
-
-
To use a custom set of protocols, list the protocol names (separated by commas) in the variable.
Example:
<variable name="ClientTlsProtocols">SSLv3,TLSv1,TLSv1.1,TLSv1.2</variable>
ClientTlsCiphers refers to the client cipher list.
-
Leave the variable empty to use a default cipher list.
-
To use a custom cipher list, type the cipher list in the variable. Refer to the steps outlined in the ServerTlsCiphers variable.
This variable allows Kerio Connect to decide which cipher set to use regardless of the client's preferences.
-
The default value is
1
. -
This variable should be modified in both Security and SmtpSecurity tables.
Here is an example of the mailserver.cfg settings, which includes the variables listed above:
Additional Information
-
Test the SSL/TLS settings by using the SSL Labs website.
-
List all strong ciphers by running the standard OpenSSL command:
openssl ciphers 'HIGH:!aNULL:!MD5'
-
The Google Chrome browser might have some compatibility issues with OCSP (Online Certificate Status Protocol) stapling. To resolve compatibility issues, configure the SSL Certificate Authority with
Certificate Transparency = Yes
.If it has not been set, Google Chrome might show a Not Secure website message.
Verification
Once the SSL/TLS configuration has been changed, it is recommended to run the OpenSSL s_client validation commands from the Linux/macOS machine.
-
For example, to check if the server supports TLSv1.2, please run the following command:
openssl s_client -connect <domain>:<port> -tls1_2
-
The successful output will be similar to the following:
For more information about different commands, you can refer to the official OpenSSL documentation or the OpenSSL s_client Commands third-party reference documentation.
Note: Results from MxToolbox might not always be accurate or updated.
Related Articles
Changing Kerio Connect SSL/TLS Configuration