Qualys + QMail TLS = ?

This post is meant to save others time in finding a solution for the above.  Since the solution isn’t documented anywhere on the Internet, it was a matter of trial and error before QualysGuard passed a server scan (for a friend) with no level 3 vulnerabilities (port 25 over SSL).

First of all, some background information.  By default, QMail configured with TLS support uses a default set of OpenSSL ciphers:ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH

The @STRENGTH keyword sorts the ciphers by strength.

Qualys does not consider SSLv2 ciphers to be fairly strong, due to various vulnerabilities, nor does it permit anonymous authentication ciphers.

The solution is to create two files containing a modified set of ciphers:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

The files that must be created are ‘/var/qmail/control/tlsserverciphers’ and ‘/var/qmail/control/tlsclientciphers’.

Restart QMail and voila, your QMail server is now configured to use strong ciphers that Qualys will approve of :)

3 thoughts on “Qualys + QMail TLS = ?”

  1. Thanks for posting this. I managed to reduce some of the level 3 warning on my Qualys check after this.

    How did you get rid of any port 993/995’s warnings?

  2. Sorry for the long delay.

    1. The key is to edit /etc/courier-imap/imapd-ssl.
    2. Look for the following two lines:
    IMAPDSSLSTART=YES
    IMAPDSTARTTLS=YES
    3. Change those lines to read NO.
    4. Edit /etc/courier-imap/pop3d-ssl in the same manner.
    5. Restart the courier-imap daemon: service courier-imap restart
    6. Voila, fixed :-)

  3. However, if you ARE using IMAP or POP3 over SSL with TLS, I would recommend updating the aforementioned files to use the strong TLS cipher set mentioned in the blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *