The server does not prefer cipher suites

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

Re: The server does not prefer cipher suites

Postby spinx » Sat Jan 04, 2020 5:49 pm

Hi,
thank you for replay...

How do i implement tls_preempt_cipherlist = yes in zimbra? where do i put it?

Regards


spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

Re: The server does not prefer cipher suites

Postby spinx » Sat Jan 04, 2020 6:08 pm

Hi,

i have enabled only tls 1.1 and tls 1.2 but it still shows that :)

Regards
neutronscott
Posts: 28
Joined: Fri Jun 09, 2017 2:05 pm

Re: The server does not prefer cipher suites

Postby neutronscott » Sat Jan 04, 2020 7:00 pm

Sorry Bill but this is not only about SSLv3 as I try to say previously. You can test this yourself. I selected a high and low cipher from openssl ciphers -v for this and reverse the order on my client. You see initially the server negotiates with the first one I list:

Code: Select all

mute@atl:~$ openssl s_client -tls1_2 -connect mail.xxx:25 -starttls smtp -cipher ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA 2>&1 <<< Q |grep -i cipher
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
mute@atl:~$ openssl s_client -tls1_2 -connect mail.xxx:25 -starttls smtp -cipher DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384 2>&1 <<< Q |grep -i cipher
New, SSLv3, Cipher is DHE-RSA-AES128-SHA
    Cipher    : DHE-RSA-AES128-SHA

Now I enable the setting:

Code: Select all

[zimbra@mail ~]$ postconf -e tls_preempt_cipherlist=yes
[zimbra@mail ~]$ postfix reload

You see the server now selects what it wants.

Code: Select all

mute@atl:~$ openssl s_client -tls1_2 -connect mail.xxx:25 -starttls smtp -cipher DHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384 2>&1 <<< Q |grep -i cipher
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
mute@atl:~$ openssl s_client -tls1_2 -connect mail.xxx:25 -starttls smtp -cipher ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA 2>&1 <<< Q |grep -i cipher
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384


BUT THIS IS NOT THE WWW!!!

If the server chooses a cipher that the client prefers less, it may select a cipher whose client implementation is flawed. Most notably Windows 2003 Microsoft Exchange servers have flawed implementations of DES-CBC3-SHA, which OpenSSL considers stronger than RC4-SHA. Enabling server cipher-suite selection may create interoperability issues with Windows 2003 Microsoft Exchange clients.


If you enable STARTTLS and then do not agree on a cipher, or force a broken one, you will lose some mail and you won't even know it. You definitely cannot use just HIGH ciphers today for MTA port 25. I will stress again that email will need to support plaintext at the edge so having TLS is just a nice to have.

I cannot recommend this without knowing you have a requirement for TLS over deliverability.

As far as making non-supported postfix setting stick. I think that's gotten better within Zimbra versions and should just work as it seems to write out all of it to ~/common/conf/main.cf before loading LDAP and zmlocalconfig things on-top..
spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

Re: The server does not prefer cipher suites

Postby spinx » Sat Jan 04, 2020 7:08 pm

Hi,
Will try this...
Do i need to edit only this or do i need to setup prefered cipher list ?

regards
spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

Re: The server does not prefer cipher suites

Postby spinx » Sat Jan 04, 2020 8:31 pm

Hi,
I works, thank you for your help!!

Regards

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests