Configuring SSL/TLS in Kerio Connect
NOTE
New in Kerio Connect 8.5!
Kerio Connect allows you to enable or disable specific security protocols and cipher sets manually for:
- Kerio Connect server in general
- SMTPSimple Mail Transport Protocol - An internet standard used for email transmission across IP networks. services separately (for SMTP on port 25 and SMTPS on port 465)
You might need to adjust the security settings when a flaw in a security protocol is found or to get a good security rating for your server. (You can test your server, for example, at Qualys SSLlabs test site).
Changing the SSL/TLS configuration
Kerio Connect uses different variables for the SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks./TLSTransport Layer Security - A follower of the SSL protocol and ensures secure communication between networks. protocols configuration. To change the configuration:
- Stop the Kerio Connect engine.
- Open the configuration file
mailserver.cfgfor editing. For more information refer to Configuration files. - Change the settings in the
SecurityorSmtpSecuritysections. See the list of variables below. - Save the file.
- Start Kerio Connect.
Resetting the SSL/TLS configuration
To reset the SSL/TLS configuration in the configuration file:
- Stop the Kerio Connect engine.
- Open the configuration file
mailserver.cfgfor editing. For more information refer to Configuration files. - Delete any variable in the
SecurityorSmtpSecuritysections. - Save the file.
- Start Kerio Connect.
Kerio Connect sets the default values of all the SSL/TLS variables.
List of ciphers
It is recommended to use only strong ciphers suites to ensure compliance with various compliance standards.
Here is a list of strong ciphers available:
| Strong ciphers (Recommended) |
|---|
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA |
Here is a list of weak ciphers. These ciphers are not recommended for compliance:
| Weak Ciphers |
|---|
| TLS_RSA_WITH_AES_256_GCM_SHA384 |
| TLS_RSA_WITH_AES_128_GCM_SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA |
| TLS_RSA_WITH_CAMELLIA_CBC_SHA |
| TLS_RSA_WITH_AES_128_CBC_SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA |
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA |
List of variables
Kerio Connect uses eight variables for the SSL/TLS protocols configuration.
AllowEphemeralDH
NOTE
Changed in Kerio Connect 9.0.2!
The default value, 1, enables the use of DHE (Ephemeral Diffie-Hellman) for key exchange.
The server generates a random ephemeral public key for each session so that attackers cannot decipher past sessions (this is also called forward secrecy).
NOTE
This variable replaces DisableEphemeralDH in Kerio Connect 9.0.0 and 9.0.1. Set the DisableEphemeralDH to 0 to enable the use of DHE.
EphemeralDHParamSize
NOTE
New in Kerio Connect 9!
The default value, 0, sets the size of DHE to 2048 (1024 for SMTP services). Make sure the DisableEphemeralDH is enabled.
You can change the default value to 1024, 2048, or 4096
AllowEphemeralECDH
The default value, 1, enables ECDHE for key exchange.
The server generates a random ephemeral public key for each session so that attackers cannot decipher past sessions. ECDHE is more efficient than DHE and uses shorter keys.
SSLDontInsertEmptyFragments
The default value, 1, disables the OpenSSL workaround for the CVE-2011-3389 vulnerability.
If you set the variable to 0, some older implementations of SSL may not connect to Kerio Connect servers.
ServerTlsProtocols
In this variable, you can change the SSL/TLS protocols used by Kerio Connect.
Leave the variable empty to use a default set of SSL/TLS protocols: TLSv1,TLSv1.1,TLSv1.2
To use a custom set of protocols, list the protocol names, separated by commas, in the variable.
For example: <variable name="ServerTlsProtocols">SSLv3,TLSv1,TLSv1.1,TLSv1.2</variable>
ServerTlsCiphers
In this variable, you can change the cipher list used by Kerio Connect.
Leave the variable empty to use a default cipher list: AESGCM:HIGH:+EDH-RSA-DES-CBC3-SHA:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA
To use a custom cipher list, type the cipher list in the variable.
For the full syntax of cipher lists, see the OpenSSL website.
ClientTlsProtocols
In this variable, you can change the SSL/TLS protocols used when Kerio Connect acts as a client, for example, when sending messages via the SMTP protocol.
Leave the variable empty to use a default set of SSL/TLS protocols: TLSv1,TLSv1.1
To use a custom set of protocols, list the protocol names, separated by commas, in the variable.
For example: <variable name="ClientTlsProtocols">SSLv3,TLSv1,TLSv1.1,TLSv1.2</variable>
ClientTlsCiphers
In this variable, you can change the client cipher list.
Leave the variable empty to use a default cipher list.
To use a custom cipher list, type the cipher list in the variable.
For the full syntax of cipher lists, see the OpenSSL website.
PreferServerCipherOrder
The default value, 1, allows Kerio Connect decide which cipher set to use regardless of the client preferences.