Hallo
ich habe mit der Website https://www.hardenize.com/ meine beiden MX Server überprüft, damit wird bei TLS 1.2 folgende Ciphers als veraltet und nicht mehr zuverwenden gekennzeichnet:
TLS_DH_anon_WITH_AES_256_GCM_SHA384 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA256 256 bits
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 256 bits
TLS_ECDH_anon_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 256 bits
TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits
TLS_RSA_WITH_AES_256_CCM_8 256 bits
TLS_RSA_WITH_AES_256_CCM 256 bits
TLS_RSA_WITH_ARIA_256_GCM_SHA384 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_128_GCM_SHA256 128 bits
TLS_DH_anon_WITH_AES_128_CBC_SHA256 128 bits
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 128 bits
TLS_ECDH_anon_WITH_AES_128_CBC_SHA 128 bits
TLS_DH_anon_WITH_AES_128_CBC_SHA 128 bits
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA 128 bits
TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits
TLS_RSA_WITH_AES_128_CCM_8 128 bits
TLS_RSA_WITH_AES_128_CCM 128 bits
TLS_RSA_WITH_ARIA_128_GCM_SHA256 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA 128 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 bits
Fehlermedlung:
Anonymous cipher suites are insecure because they don't authenticate servers. As a result, an active network adversary can silently intercept all communication. These suites should be removed as soon as possible.
First encountered suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
This server uses key exchange parameters that are insecure. When using the ephemeral Diffie-Hellman key exchange (DHE), parameters below 1024 bits are considered insecure. For sufficient security, use 2048-bit parameters. It is generally not advisable to use stronger DHE key exchange because there is a measurable performance penalty and there is no meaningful increase in security. A well-configured TLS server should generally prefer the faster ECDHE key exchange anyway. When it comes to ECDHE, aim for at least 256 bits; anything below 200 bits is weak. For best results, use secp256r1 and secp384r1, which are required in practice, and x25519 as an emerging standard.
Key exchange length: 0
Key exchange algorithm: DH_anon
Example suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
Even though this server supports TLS 1.2, the cipher suite configuration is suboptimal. We recommend that you reconfigure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite.
Wo kann ich diese dauerhaft im Mailgateway deaktivieren?
Mit freundlichen Grüßen
Martin Krüger
ich habe mit der Website https://www.hardenize.com/ meine beiden MX Server überprüft, damit wird bei TLS 1.2 folgende Ciphers als veraltet und nicht mehr zuverwenden gekennzeichnet:
TLS_DH_anon_WITH_AES_256_GCM_SHA384 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA256 256 bits
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 256 bits
TLS_ECDH_anon_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA 256 bits
TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits
TLS_RSA_WITH_AES_256_CCM_8 256 bits
TLS_RSA_WITH_AES_256_CCM 256 bits
TLS_RSA_WITH_ARIA_256_GCM_SHA384 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 256 bits
TLS_DH_anon_WITH_AES_128_GCM_SHA256 128 bits
TLS_DH_anon_WITH_AES_128_CBC_SHA256 128 bits
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 128 bits
TLS_ECDH_anon_WITH_AES_128_CBC_SHA 128 bits
TLS_DH_anon_WITH_AES_128_CBC_SHA 128 bits
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA 128 bits
TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits
TLS_RSA_WITH_AES_128_CCM_8 128 bits
TLS_RSA_WITH_AES_128_CCM 128 bits
TLS_RSA_WITH_ARIA_128_GCM_SHA256 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA 128 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 128 bits
Fehlermedlung:
Anonymous cipher suites are insecure because they don't authenticate servers. As a result, an active network adversary can silently intercept all communication. These suites should be removed as soon as possible.
First encountered suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
This server uses key exchange parameters that are insecure. When using the ephemeral Diffie-Hellman key exchange (DHE), parameters below 1024 bits are considered insecure. For sufficient security, use 2048-bit parameters. It is generally not advisable to use stronger DHE key exchange because there is a measurable performance penalty and there is no meaningful increase in security. A well-configured TLS server should generally prefer the faster ECDHE key exchange anyway. When it comes to ECDHE, aim for at least 256 bits; anything below 200 bits is weak. For best results, use secp256r1 and secp384r1, which are required in practice, and x25519 as an emerging standard.
Key exchange length: 0
Key exchange algorithm: DH_anon
Example suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384
Even though this server supports TLS 1.2, the cipher suite configuration is suboptimal. We recommend that you reconfigure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite.
Wo kann ich diese dauerhaft im Mailgateway deaktivieren?
Mit freundlichen Grüßen
Martin Krüger