Product » A free email server for Windows and Linux » Knowledge Base

Document information

Document ID: 5301
Subject: Configurating SSL ciphers
Creation date: 5/27/19 10:24 AM
Last modified on: 5/27/19 10:25 AM


Configuring SSL Ciphers

Often administrators want to manage SSL ciphers used by Xeams. Use the following tips as a guideline if you wish to view/modify SSL ciphers.

By default, Xeams does not specify any particular SSL ciphers. The actual value gets inherited from JRE you're using. Newer JREs often keep up with new ciphers and disable the ones that are no longer considered safe. Therefore, it is recommended you make sure your Xeams is using the latest JRE specified on this page.

Use the following steps to modify ciphers used in Xeams:

  • Add the following line server.properties file
  • ssl.cipher.list=[COMMA SEPARATED CIPHER NAMES]

For example:

ssl.cipher.list=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,additional ciphers...

Viewing and Modifying Ciphers

The correct way to test for enabled ciphers is to connect a TCP/IP client to Xeams and see which ciphers are available. One such client is the nmap tool that is available on most Linux machines. You can download nmap for Windows from https://nmap.org/book/inst-windows.html.

Run the following command using nmap:

nmap --script ssl-enum-ciphers -p 443 mail.yourserver.com 2>/dev/null

Replace the port and hostname in the above command to match with your server. To test the ciphers for SMTP, use the secure port, such as 465. You cannot run this test on port 25 or 587 because they start the communication without encryption but upgrade later on.



Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users?

Important: This area is reserved for useful tips. Therefore, do not post questions here. Instead, use our public forums to post questions.