Product » A free email server for Windows and Linux » Knowledge Base
Document information
| Document ID: | 5301 |
|---|---|
| Subject: | Configurating SSL ciphers |
| Creation date: | 5/27/19 10:24 AM |
| Last modified on: | 5/27/19 10:25 AM |
Configuring SSL Ciphers
Often administrators want to manage SSL ciphers used by Xeams. Use the following tips as a guideline if you wish to view/modify SSL ciphers.
By default, Xeams does not specify any particular SSL ciphers. The actual value gets inherited from JRE you're using. Newer JREs often keep up with new ciphers and disable the ones that are no longer considered safe. Therefore, it is recommended you make sure your Xeams is using the latest JRE specified on this page.
Use the following steps to modify ciphers used in Xeams:
- Add the following line server.properties file
- ssl.cipher.list=[COMMA SEPARATED CIPHER NAMES]
For example:
ssl.cipher.list=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,additional ciphers...
Viewing and Modifying Ciphers
The correct way to test for enabled ciphers is to connect a TCP/IP client to Xeams and see which ciphers are available. One such client is the nmap tool that is available on most Linux machines. You can download nmap for Windows from https://nmap.org/book/inst-windows.html.
Run the following command using nmap:
nmap --script ssl-enum-ciphers -p 443 mail.yourserver.com 2>/dev/null
Replace the port and hostname in the above command to match with your server. To test the ciphers for SMTP,
use the secure port, such as 465. You cannot run this test on port 25 or 587 because they start the communication
without encryption but upgrade later on.
Add a comment to this document
Do you have a helpful tip related to this document that you'd like to share with other users?