Qualys + QMail TLS = ?

This post is meant to save others time in finding a solution for the above.  Since the solution isn’t documented anywhere on the Internet, it was a matter of trial and error before QualysGuard passed a server scan (for a friend) with no level 3 vulnerabilities (port 25 over SSL).

First of all, some background information.  By default, QMail configured with TLS support uses a default set of OpenSSL ciphers:ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH

The @STRENGTH keyword sorts the ciphers by strength.

Qualys does not consider SSLv2 ciphers to be fairly strong, due to various vulnerabilities, nor does it permit anonymous authentication ciphers.

The solution is to create two files containing a modified set of ciphers:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

The files that must be created are ‘/var/qmail/control/tlsserverciphers’ and ‘/var/qmail/control/tlsclientciphers’.

Restart QMail and voila, your QMail server is now configured to use strong ciphers that Qualys will approve of :)