Security level low, need fix some configurations.

Hi to all,
I'M new on Centos Panel.

I'm testing the panel and services and found that once the panel configure the email settings there are security issues.
The security issues is about the SSL configuration.

I created an user that has a domain configured with SSL.
The admin panel is setup in a SSL domain.

I login as user (CWP Panel), goes into email section.
Here i can see the created email address and below Mail Settings Secure SSL/TLS Settings.

This settings is not really secure just test here: https://www.immuniweb.com/ssl



See: https://www.immuniweb.com/ssl/?id=T1Zhx3qf

TLS 1.0 is still supported. How i can disable this for email?
How can i set different chippers suite for email?

Thanks

Security issue are present in dovecot and postfix in centos panel.
Score is always F on https://www.immuniweb.com/ssl for the port 993, 465

Now for the port 465 as i edit something into dovecot configuration the score is B-
there is a Logjam vulnerability present for dovecot and postfix.

For postfix I'm completely unable to disable TLS 1.0 even if i followed online guide and edited main.cf



Seems there is no support that reply here in the forum.

Seems no staff reply and support here.
I opened a ticket (also if I'm not currently a paid user) and received what i think is wrong replies where was told to me there are no security issues just compatibility configuration. Not need to edit postfix but only dovecot, etc.

You cannot fix security issue on port 465 and 993 by editing only dovecot.

On in /etc/postfix edit main.cf you need to add:

Code: [Select]

smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
#smtpd_tls_cert_file = /etc/pki/tls/certs/centospanel-peopleinside.it.crt
#smtpd_tls_key_file = /etc/pki/tls/private/centospanel-peopleinside.it.key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no

smtpd_tls_eecdh_grade = strong
Need now generate the file /etc/postfix/dh2048.pem
Execute as root (prime group generation can take a few seconds to a few minutes):

Code: [Select]

  # cd /etc/postfix
    # umask 022
    # openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
    # chmod 644 dh512.pem dh1024.pem dh2048.pem
For fix issue on port 993:
Have to disable TLS 1.0 /etc/dovecot/dovecot.conf

Code: [Select]

ssl_protocols = !SSLv2 !SSLv3 !TLSv1

ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
Than restart dovecot and postfix

Many thanks for the useful thread.
You are correct - support only appears on a full moon, if the weather is right! Grr.

Hope this post can help someone.
Centos Panel is a great panel,m free and has big potentiality but security issue is not something of Good.
I discovered also phpmyadmin in Centos Panel seems to be very old.

My worry is: old software = security issue / vulnerability.

Rack911 found a heap of security issues, that allegedly have been fixed but the developer(s) hasn't produced ANY evidence of this.
Lack of communication is the primary concern with using CWP.

Understood. And indication is just the forum that is insecure under HTTP