At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

B

BenWinter

New Member
Dec 7, 2022
1
0
1
Hello,

I am trying to harden our TLS version and ciphers due to the following errors:

Verdict:​

At least one of your mail servers supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.
Mail server (MX)First found affected cipherStatus
*.AES128-SHAphase out

Verdict:​

At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.
Mail server (MX)Affected parametersSecurity level
*DH-2048insufficient

How can i disable these ?

Regards,
 
BenWinter said:
I am trying to harden our TLS version and ciphers due to the following errors:
Click to expand...
Can make sense - but keep in mind that SMTP uses opportunistic TLS - meaning if a sending server does only support weak ciphers and there is no overlap the traffic will go through as plaintext (instead of weakly encrypted).

On the other hand at some point it might make sense to get rid of really old ciphers

In any case the configuration needs to be done for postfix - see the reference documentation:
https://www.postfix.org/TLS_README.html#server_cipher

to make changes to PMG's postfix config use the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!
 
You must log in or register to reply here.
Top Bottom