Sophos UTM - Restrict use of insecure TLS ciphers

edited September 8 in Sophos
To be able to comply with the current TLS ciphersuites, changes are required to exim.conf in the UTM.
Changes without agreement of Sophos Support will void your support on the UTM!
For support requests to Sophos Support, you can refer to Sophserv ticket #10042793 or to the new Support Case 03029231.
Actions:
login to the utm with ssh as loginuser and become root by su -
change the following line in block # Misc static settings of /var/storage/chroot-smtp/etc/exim.conf
tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2

to
#tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2

tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!AES256-GCM-SHA384:!AES256-SHA256:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!AES128:!AES256-SHA:!SSLv2
restart exim:
/var/mdw/scripts/smtp restart
As script:
vi exim_tls.sh
#!/bin/bash
sed -i  's/tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2/tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!AES256-GCM-SHA384:!AES256-SHA256:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!AES128:!AES256-SHA:!SSLv2/g' /var/storage/chroot-smtp/etc/exim.conf
cat /var/storage/chroot-smtp/etc/exim.conf |grep tls_require_ciphers
/var/mdw/scripts/smtp restart

chmod +x exim_tls.sh

Tagged:

Comments

  • edited September 9
    We found issues with O365 with above settings. This is currently under investigation.
    For reference MS supported Ciphers linked and the Google supported Ciphers .
    Solution for this issue:
    Change the replacement to include AES256-GCM-SHA38 instead of exclude it.
    So the correct sed statement would be:
    sed -i  's/tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2/tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!AES256-SHA256:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!AES128:!AES256-SHA:!SSLv2/g' /var/storage/chroot-smtp/etc/exim.conf
    and in the exim.conf it should be shown as:
    tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!AES256-SHA256:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!AES128:!AES256-SHA:!SSLv2
    MS Ciphers:
    Cipher suiteKey exchange algorithm/strengthPerfect Forward SecrecyCipher/strengthAuthentication algorithm
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    ECDH/192
    Yes
    AES/256
    RSA/112
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    ECDH/128
    Yes
    AES/128
    RSA/112
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    ECDH/192
    Yes
    AES/256
    RSA/112
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    ECDH/128
    Yes
    AES/128
    RSA/112
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    ECDH/192
    Yes
    AES/256
    RSA/112
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    ECDH/128
    Yes
    AES/128
    RSA/112
    TLS_RSA_WITH_AES_256_GCM_SHA384
    RSA/112
    No
    AES/256
    RSA/112
    TLS_RSA_WITH_AES_128_GCM_SHA256
    RSA/112
    No
    AES/256
    RSA/112
    Google Ciphers:

    TLS 1.3

    TLS_AES_128_GCM_SHA256

    TLS_AES_256_GCM_SHA384

    TLS_CHACHA20_POLY1305_SHA256

    TLS 1.2

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    TLS_RSA_WITH_AES_128_GCM_SHA256

    TLS_RSA_WITH_AES_256_GCM_SHA384

    TLS_RSA_WITH_AES_128_CBC_SHA

    TLS_RSA_WITH_AES_256_CBC_SHA

    TLS_RSA_WITH_3DES_EDE_CBC_SHA

Sign In or Register to comment.