Hi Guys,
I hardened my Kerio Connect Server via the mailserver.cfg file.
Currently I don't experience any issue except that I'm not able to connect to the greylisting server (reputation-service.kerio.com).
[15/Jan/2020 07:00:10] Greylisting: reputation server 23.22.110.13 cannot establish secure connection: 430 Too many failed STARTTLS attempts.
[15/Jan/2020 07:00:10] Greylisting suspended for 17 minutes. While greylisting is suspended it is not applied to incoming messages.
These are the changes I have made:
<table name="Security">
<variable name="ServerTlsProtocols">TLSv1.2</variable>
<variable name="ServerTlsCiphers">AESGCM:HIGH:+ECDHE-ECDSA-AES256-GCM-SHA384:+ECDHE-ECDSA-AES128-GCM-SHA256:+ECDHE-RSA-AES128-GCM-SHA256:!CAMELLIA128-SHA:+ECDH-ECDSA-AES256-GCM-SHA384:+ECDHE-RSA-AES256-GCM-SHA384:!CAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!AES128-SHA256:!AES128-SHA:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256</variable>
<variable name="ClientTlsProtocols">TLSv1.2</variable>
<variable name="ClientTlsCiphers">AESGCM:HIGH:+ECDHE-ECDSA-AES256-GCM-SHA384:+ECDHE-ECDSA-AES128-GCM-SHA256:+ECDHE-RSA-AES128-GCM-SHA256:!CAMELLIA128-SHA:+ECDH-ECDSA-AES256-GCM-SHA384:+ECDHE-RSA-AES256-GCM-SHA384:!CAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!AES128-SHA256:!AES128-SHA:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256</variable>
<table name="SmtpSecurity">
<variable name="ServerTlsProtocols">TLSv1.2</variable>
<variable name="ServerTlsCiphers">AESGCM:HIGH:+ECDHE-ECDSA-AES256-GCM-SHA384:+ECDHE-ECDSA-AES128-GCM-SHA256:+ECDHE-RSA-AES128-GCM-SHA256:!CAMELLIA128-SHA:+ECDH-ECDSA-AES256-GCM-SHA384:+ECDHE-RSA-AES256-GCM-SHA384:!CAMELLIA256-SHA:!DHE-RSA-CAMELLIA256-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!AES256-SHA256:!AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!AES128-SHA256:!AES128-SHA:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256</variable>
Any ideas?
Does this server only support insecure TLS versions and ciphers?
Kerio-Connect version 9.2.10
Best regards
Timmi
[Updated on: Wed, 15 January 2020 08:09]
Report message to a moderator