Product » A free email server for Windows and Linux » Knowledge Base
Document ID: | 5301 |
---|---|
Subject: | Configurating SSL ciphers |
Creation date: | 5/27/19 10:24 AM |
Last modified on: | 5/27/19 10:25 AM |
Often administrators want to manage SSL ciphers used by Xeams. Use the following tips as a guideline if you wish to view/modify SSL ciphers.
By default, Xeams does not specify any particular SSL ciphers. The actual value gets inherited from JRE you're using. Newer JREs often keep up with new ciphers and disable the ones that are no longer considered safe. Therefore, it is recommended you make sure your Xeams is using the latest JRE specified on this page.
Use the following steps to modify ciphers used in Xeams:
For example:
ssl.cipher.list=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,additional ciphers...
The correct way to test for enabled ciphers is to connect a TCP/IP client to Xeams and see which ciphers are available. One such client is the nmap tool that is available on most Linux machines. You can download nmap for Windows from https://nmap.org/book/inst-windows.html.
Run the following command using nmap:
nmap --script ssl-enum-ciphers -p 443 mail.yourserver.com 2>/dev/null
Replace the port and hostname in the above command to match with your server. To test the ciphers for SMTP,
use the secure port, such as 465. You cannot run this test on port 25 or 587 because they start the communication
without encryption but upgrade later on.
Do you have a helpful tip related to this document that you'd like to share with other users?