How to remove or disable sslv2 and enable sslv3 and tlsv1 in courier imap apache and qmail

This post is old. the information is not kept up-to-date. for the current best-practice, including how to disable sslv2, please see this post

This is something that comes up all the time when clients are having PCI compliance scans done on their servers, or when checking your score on ssl labs

Disable sslv2, sslv3

qmail, by default, allows SSLv2 to be used.

To disable sslv2 is very easy.
Edit/create /var/qmail/control/tlsserverciphers
and add the following line to it:

ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

to disable ssl2 and ssl3
ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM

Now restart qmail, and you’re done!

To disable sslv2 in apache:
go in your /etc/httpd/httpd.conf

SSLProtocol -ALL +SSLv2 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!SSLv2:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

(drop all ssl protocols, then enable sslv3 and tlsv1)
(use all ciphers, except the ones with a ! infront of them)

to remove sslv3, add in !SSLv3 next to the sslv2 option

For courier-imap

Edit the following files:

/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl


TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"

again, to remove sslv3, add !SSLv3

you may want to add some iptables rules while you are in fixing mode:


-A INPUT -p tcp -m tcp --dport 111 -j REJECT --reject-with tcp-reset
-A INPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -p tcp -m tcp --dport 53 -j DROP
-A INPUT -p udp -m udp --dport 53 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j DROP

Reject everything to the rcpbind port, bind9, mysql (but allow localhost to use everything)
(you should really DROP or REJECT everything and only specifically ALLOW the services you need. eg allow ssh and apache and apache ssl on port 443)

Leave a Reply