This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cipher order and Key exchange parameters

Wesley van den Brink over 3 years ago

Hello,

When we do a test on www.internet.nl/.../*ourdomain* we are getting the following errors back:

Key exchange parameters:

At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

DH-2048 insufficient

And the following:

Cipher order:

At least one of your mailservers does not enforce its own cipher preference ('I').

our domain : none

We are using Sophos UTM 9 version 9.707-5

How can we fix the errors on test?

This thread was automatically locked due to age.

Top Replies

BAlfson over 3 years ago in reply to Wesley van den Brink +1

Ahhh, I didn't read closely enough. I guess your TLS certificate is the problem. You can generate a new one with a 4096-bit key to replace the one you're currently using. Better luck with that, Wesley…

Parents

0 FormerMember over 3 years ago

Hi Wesley van den Brink,

Thank you for reaching out to the Community!

Would it be possible for you to share email protection configuration detail from your firewall?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Wesley van den Brink over 3 years ago in reply to FormerMember

Good morning Patel,

Maybe a stupid question. But how can i get this? (this device is new for me)
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Wesley van den Brink

Hoi Wesley and welcome to the UTM Community!

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Wesley van den Brink over 3 years ago in reply to BAlfson

Thanks Bob

Require TLS Neg Sender Domains are only domain names no wildcard.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Wesley van den Brink

And, what happens if you put "Any" in '... Sender Domains'?

TLS v1.2 is required in the EU, so, depending on your organization's correspondents, you may not need to worry about this. In the USA, I see many domains that aren't at 1.2.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Wesley van den Brink over 3 years ago in reply to BAlfson

Anyipv4 and ipv6 are in now, problem is stil there.
At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

Technical details:

Mail server (MX) Affected parameters Security level

- DH-2048 insufficient

And this one:

Verdict:

At least one of your mailservers does not enforce its own cipher preference ('I').
Technical details:

Mail server (MX) First found affected cipher pair

- None
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Wesley van den Brink

Ahhh, I didn't read closely enough. I guess your TLS certificate is the problem. You can generate a new one with a 4096-bit key to replace the one you're currently using. Better luck with that, Wesley?

Cheers - Bob
Cancel
Vote Up +1 Vote Down

Cancel
0 Wesley van den Brink over 3 years ago in reply to BAlfson

Put in a 4096 Bits certificate but same error message (2048 is generally aproved and a valid one, but we could always try)

After using the new cert a reboot was done.

Warning:

Mail server (MX) First found affected cipher Status

mx.*****.nl. AES256-GCM-SHA384
phase out

Errors:

At least one of your mailservers does not enforce its own cipher preference ('I').

Technical details:

Mail server (MX) First found affected cipher pair

mx.*****.nl. None

Verdict:

At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

Technical details:

Mail server (MX) Affected parameters Security level

mx.*****.nl. DH-2048 insufficient

When i check the test on the sophos.com domain i see the same errors are there.

So i would think its a default setting from the Sophos UTM 9
Cancel
Vote Up 0 Vote Down

Cancel

Mail server (MX)	Affected parameters	Security level
-	DH-2048	insufficient

Mail server (MX)	First found affected cipher pair
-	None

Mail server (MX)	First found affected cipher	Status
mx.*****.nl.	AES256-GCM-SHA384	phase out

Mail server (MX)	First found affected cipher pair
mx.*****.nl.	None

Mail server (MX)	Affected parameters	Security level
mx.*****.nl.	DH-2048	insufficient

Reply

0 Wesley van den Brink over 3 years ago in reply to BAlfson

Put in a 4096 Bits certificate but same error message (2048 is generally aproved and a valid one, but we could always try)

After using the new cert a reboot was done.

Warning:

Mail server (MX) First found affected cipher Status

mx.*****.nl. AES256-GCM-SHA384
phase out

Errors:

At least one of your mailservers does not enforce its own cipher preference ('I').

Technical details:

Mail server (MX) First found affected cipher pair

mx.*****.nl. None

Verdict:

At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

Technical details:

Mail server (MX) Affected parameters Security level

mx.*****.nl. DH-2048 insufficient

When i check the test on the sophos.com domain i see the same errors are there.

So i would think its a default setting from the Sophos UTM 9
Cancel
Vote Up 0 Vote Down

Cancel

Mail server (MX)	First found affected cipher	Status
mx.*****.nl.	AES256-GCM-SHA384	phase out

Mail server (MX)	First found affected cipher pair
mx.*****.nl.	None

Mail server (MX)	Affected parameters	Security level
mx.*****.nl.	DH-2048	insufficient

Children

0 BAlfson over 3 years ago in reply to Wesley van den Brink

So, it's the cert at mx.*****.nl. What happens if you change that?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Wesley van den Brink over 3 years ago in reply to BAlfson

Hi Bob,

Allready changed the certificate for a 4096 bit but stil the same errors.

I contacted our certificate supplier but they are saying that its not the certificate but it need to be change on the UTM.

Their translated message:

Furthermore, the links you send are aimed at the Cipher Suites and/or Protocols that are used. This is not something that can be set on the certificate, but this is done at the server level. It is best to contact the supplier of the product for any adjustments.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Wesley van den Brink

OK, Wesley, my last guess. What happens if you temporarily put "Any" in ' Require TLS Negotiation Hosts/Nets'? If that doesn't do it, it's time to open a case with Sophos Support.

Thanks for the link to www.internet.nl/mail/{domain} - great tool!

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Wesley van den Brink over 3 years ago in reply to BAlfson

Hi Bob,

This was the first thing we tried ;)

Any4 and Any6 are listed.
Cancel
Vote Up 0 Vote Down

Cancel
0 Wesley van den Brink over 3 years ago in reply to BAlfson

How can i open a support ticket?

When i try to make a ticket i get the following message:

https://3.id.sophos.com/token_proxy

Registration Request - Action Required

Thank you for your registration request. Unfortunately, we are not able to process your request at this time without further information. Please contact the team to help get this resolved. In the meantime you can still access many of our self-service resources like the Sophos Community, product documentation, knowledge base, and Sophos Techvids.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 3 years ago in reply to Wesley van den Brink

Hoi Wesley,

Since you're in Europe, if you don't have Premium Support, I think your reseller has to open a ticket for you. I'm in North America and that's not the case here.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Cipher order and Key exchange parameters

Top Replies

Technical details:

Verdict:

Technical details:

Technical details:

Technical details:

Technical details: