Ciphers support

MailCleaner Support
Added almost 4 years ago

Some of you are wondering why MailCleaner is supporting weak ciphers. We do so to propose the maximum number of ciphers and therefore be able to support the widest range of configuration but be reassured that this is NOT a security threat and security stays of course our primary concern.

The warnings are related to using less than the best available ciphers for encryption, however, this is only sort of true. It is warning that weaker ciphers are available, but when negotiating with any other host, the machines will agree upon the strongest cipher which is mutually supported. If the two hosts fail to agree on a cipher, SMTP messages will be sent in plain-text instead, so having weaker ciphers available is not necessarily a bad thing. For HTTPS, however, it is not possible to fall back to plain-text at all. The browser will be unable to make a connection if no agreed upon cipher is determined.

We provide the latest ciphers that are available on the Debian version embedded in MailCleaner.

In the meantime, if you'd like to specify which ciphers you are willing to accept for SMTP traffic, you can use Configuration->SMTP->TLS/SSL->Accepted Ciphers. A string that will prune all of the weakest ciphers while also providing broad compatibility would be:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:+HIGH:+MEDIUM:!SSLv2:!SSLv3

Changing which ciphers are available to Apache for HTTPS requires direct access to the configuration file, however it is also more predictable which will actually be attempted, all modern browsers have access to the latest strong ciphers at all times, so restricting weaker ciphers will only serve to brake compatibility with very old browsers. It is better to have your users upgrade to the latest browser than to make them unable to access MailCleaner altogether.