The server does not prefer cipher suites

spinx · Post by **spinx** » Thu Jan 02, 2020 8:17 am

Hi,

I have zimbra open source 8.8.15 and i have run security test and it shows "The server does not prefer cipher suites. We advise to enable this feature in order to enforce usage of the best cipher suites selected."

Can some one help me how to resolve this?

Regards

spinx · Post by **spinx** » Fri Jan 03, 2020 7:55 pm

does anyone have any idea ?

phoenix · Post by **phoenix** » Fri Jan 03, 2020 8:02 pm

Which 'security test' was this? Have you read the wiki article(s) on ciphers?

spinx · Post by **spinx** » Fri Jan 03, 2020 8:27 pm

Hi, there was a few security scans and all shows that i dont have cipher order configured.

I have tried everything

phoenix · Post by **phoenix** » Fri Jan 03, 2020 8:31 pm

How about telling me which ones so I can verify them, you also didn't answer if you've read the wiki articles on ciphers

spinx · Post by **spinx** » Fri Jan 03, 2020 8:33 pm

https://www.immuniweb.com/ssl/

Yes i have read everythin, i am facing this problem for few days and have read everything that is about cipher in wiki and google

phoenix · Post by **phoenix** » Sat Jan 04, 2020 5:53 am

Well, I've run that test and I don't see that message anywhere. I'd suggest you use the articles here:

https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test
https://www.huuphan.com/2017/07/zimbra-qualys-a.html

Make the required changes and try the test again.

spinx · Post by **spinx** » Sat Jan 04, 2020 9:38 am

Hi,
The problem is on port 25, on this port it shows this problem not on 443.

regards

phoenix · Post by **phoenix** » Sat Jan 04, 2020 10:57 am

spinx wrote:The problem is on port 25, on this port it shows this problem not on 443.

You should have mentioned that to start with, a full description of a problem and your attempts to fix it go a long way to an earlier resolution.

It's my understanding (although I'm no expert) is that this feature requires:

Code: Select all

 tls_preempt_cipherlist = yes

That is a feature of SSLv3: http://www.postfix.org/postconf.5.html# ... cipherlist and as SSLv2 & SSLv3 are deprecated in Zimbra (and in general) and you can exclude those from being used that you're not able to make that change. Also, what you see on 'test sites' isn't necessarily best practice. I'll wait to be corrected on any errors in my comments by someone more knowledgable than me.

neutronscott · Post by **neutronscott** » Sat Jan 04, 2020 5:46 pm

This is a good change. MTA encryption is usually opportunistic and will use plaintext so it's not a huge deal. That is a good tool though. Nessus did not find this on 25 for me.
The feature is since ssl3 so is still correct for tls.
Again, not much gain if you still support the worse ciphersuite of them all, NULL

but that's the evil of email.

Zimbra Forums

The server does not prefer cipher suites

The server does not prefer cipher suites

Re: The server does not prefer cipher suites

Re: The server does not prefer cipher suites

Re: The server does not prefer cipher suites

Re: The server does not prefer cipher suites

Re: The server does not prefer cipher suites

Re: The server does not prefer cipher suites

Re: The server does not prefer cipher suites

Re: The server does not prefer cipher suites

Re: The server does not prefer cipher suites