The server does not prefer cipher suites

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

The server does not prefer cipher suites

Postby spinx » Thu Jan 02, 2020 8:17 am

Hi,

I have zimbra open source 8.8.15 and i have run security test and it shows "The server does not prefer cipher suites. We advise to enable this feature in order to enforce usage of the best cipher suites selected."

Can some one help me how to resolve this?

Regards


spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

Re: The server does not prefer cipher suites

Postby spinx » Fri Jan 03, 2020 7:55 pm

does anyone have any idea ?
phoenix
Ambassador
Ambassador
Posts: 26625
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: The server does not prefer cipher suites

Postby phoenix » Fri Jan 03, 2020 8:02 pm

Which 'security test' was this? Have you read the wiki article(s) on ciphers?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

Re: The server does not prefer cipher suites

Postby spinx » Fri Jan 03, 2020 8:27 pm

Hi, there was a few security scans and all shows that i dont have cipher order configured.

I have tried everything :)
phoenix
Ambassador
Ambassador
Posts: 26625
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: The server does not prefer cipher suites

Postby phoenix » Fri Jan 03, 2020 8:31 pm

How about telling me which ones so I can verify them, you also didn't answer if you've read the wiki articles on ciphers
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

Re: The server does not prefer cipher suites

Postby spinx » Fri Jan 03, 2020 8:33 pm

https://www.immuniweb.com/ssl/

Yes i have read everythin, i am facing this problem for few days and have read everything that is about cipher in wiki and google
phoenix
Ambassador
Ambassador
Posts: 26625
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: The server does not prefer cipher suites

Postby phoenix » Sat Jan 04, 2020 5:53 am

Well, I've run that test and I don't see that message anywhere. I'd suggest you use the articles here:

https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test
https://www.huuphan.com/2017/07/zimbra-qualys-a.html

Make the required changes and try the test again.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
spinx
Posts: 10
Joined: Thu Jan 02, 2020 8:11 am

Re: The server does not prefer cipher suites

Postby spinx » Sat Jan 04, 2020 9:38 am

Hi,
The problem is on port 25, on this port it shows this problem not on 443.

regards
phoenix
Ambassador
Ambassador
Posts: 26625
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: The server does not prefer cipher suites

Postby phoenix » Sat Jan 04, 2020 10:57 am

spinx wrote:The problem is on port 25, on this port it shows this problem not on 443.
You should have mentioned that to start with, a full description of a problem and your attempts to fix it go a long way to an earlier resolution.

It's my understanding (although I'm no expert) is that this feature requires:

Code: Select all

 tls_preempt_cipherlist = yes


That is a feature of SSLv3: http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist and as SSLv2 & SSLv3 are deprecated in Zimbra (and in general) and you can exclude those from being used that you're not able to make that change. Also, what you see on 'test sites' isn't necessarily best practice. I'll wait to be corrected on any errors in my comments by someone more knowledgable than me.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
neutronscott
Posts: 28
Joined: Fri Jun 09, 2017 2:05 pm

Re: The server does not prefer cipher suites

Postby neutronscott » Sat Jan 04, 2020 5:46 pm

This is a good change. MTA encryption is usually opportunistic and will use plaintext so it's not a huge deal. That is a good tool though. Nessus did not find this on 25 for me.
The feature is since ssl3 so is still correct for tls.
Again, not much gain if you still support the worse ciphersuite of them all, NULL :lol: but that's the evil of email.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 12 guests