Disable some cyphers


#1

Running a security scan, all cyphers beginning with TLS_RSA are flagged as being suboptimal.

How would one go about disabling weaker cyphers (anything that’s not ECDHE or DHE)?


#2

For the website That’s configured in nginx. Changing that is unsupported. You can see where that happens in the GitHub repo nginx-ssl config. (Also explanations about the rationale behind the choices in here: https://github.com/mail-in-a-box/mailinabox/blob/master/security.md)

You can check the consequences of disabling a cypher on https://www.ssllabs.com.


#3

Thanks for the response. I understand the need for balance in not over-securing a server and locking out some users.

I looked at nginx-ssl, but couldn’t find any reference to RSA cyphers. I’m checking a report that looks to reference SMTP cyphers:


#4

It’s not clear if that is the submission port or not.

Submission config:

Incoming config:

Also read the surrounding comments, the also explain the rational.


#5

Thanks! Now I understand the rationale: Better a weak cypher than to fall back to clear text.


#6

I found a way to make my security scan happy. I added the following line to /etc/postfix/main.cf:

tls_preempt_cipherlist = yes

By having the server select the best preference, rather than the client, it looks like it starts with the highest level of security first.