Configuring SSL/TLS in Kerio Connect

NOTE

New in Kerio Connect 8.5!

Kerio Connect allows you to enable or disable specific security protocols and cipher sets manually for:

  • Kerio Connect server in general
  • SMTP services separately (for SMTP on port 25 and SMTPS on port 465)

You might need to adjust the security settings when a flaw in a security protocol is found or to get a good security rating for your server. (You can test your server, for example, at Qualys SSLlabs test site).

Changing the SSL/TLS configuration

Kerio Connect uses different variables for the SSL/TLS protocols configuration. To change the configuration:

  1. Stop the Kerio Connect engine.
  2. Open the configuration file mailserver.cfg for editing. For more information refer to Configuration files.
  3. Change the settings in the Security or SmtpSecurity sections. See the list of variables below.
  4. Save the file.
  5. Start Kerio Connect.

Resetting the SSL/TLS configuration

To reset the SSL/TLS configuration in the configuration file:

  1. Stop the Kerio Connect engine.
  2. Open the configuration file mailserver.cfg for editing. For more information refer to Configuration files.
  3. Delete any variable in the Security or SmtpSecurity sections.
  4. Save the file.
  5. Start Kerio Connect.

Kerio Connect sets the default values of all the SSL/TLS variables.

OpenList of ciphers

It is recommended to use only strong ciphers suites to ensure compliance with various compliance standards.

Here is a list of strong ciphers available:

Strong ciphers (Recommended)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

Here is a list of weak ciphers. These ciphers are not recommended for compliance:

Weak Ciphers
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

OpenList of variables

Kerio Connect uses eight variables for the SSL/TLS protocols configuration.

AllowEphemeralDH

NOTE

Changed in Kerio Connect 9.0.2!

The default value, 1, enables the use of DHE (Ephemeral Diffie-Hellman) for key exchange.

The server generates a random ephemeral public key for each session so that attackers cannot decipher past sessions (this is also called forward secrecy).

NOTE

This variable replaces DisableEphemeralDH in Kerio Connect 9.0.0 and 9.0.1. Set the DisableEphemeralDH to 0 to enable the use of DHE.

EphemeralDHParamSize

NOTE

New in Kerio Connect 9!

The default value, 0, sets the size of DHE to 2048 (1024 for SMTP services). Make sure the DisableEphemeralDH is enabled.

You can change the default value to 10242048, or 4096

AllowEphemeralECDH

The default value, 1, enables ECDHE for key exchange.

The server generates a random ephemeral public key for each session so that attackers cannot decipher past sessions. ECDHE is more efficient than DHE and uses shorter keys.

SSLDontInsertEmptyFragments

The default value, 1, disables the OpenSSL workaround for the CVE-2011-3389 vulnerability.

If you set the variable to 0, some older implementations of SSL may not connect to Kerio Connect servers.

ServerTlsProtocols

In this variable, you can change the SSL/TLS protocols used by Kerio Connect.

Leave the variable empty to use a default set of SSL/TLS protocols: TLSv1,TLSv1.1,TLSv1.2

To use a custom set of protocols, list the protocol names, separated by commas, in the variable.

For example: <variable name="ServerTlsProtocols">SSLv3,TLSv1,TLSv1.1,TLSv1.2</variable>

ServerTlsCiphers

In this variable, you can change the cipher list used by Kerio Connect.

Leave the variable empty to use a default cipher list: AESGCM:HIGH:+EDH-RSA-DES-CBC3-SHA:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA

To use a custom cipher list, type the cipher list in the variable.

For the full syntax of cipher lists, see the OpenSSL website.

ClientTlsProtocols

In this variable, you can change the SSL/TLS protocols used when Kerio Connect acts as a client, for example, when sending messages via the SMTP protocol.

Leave the variable empty to use a default set of SSL/TLS protocols: TLSv1,TLSv1.1

To use a custom set of protocols, list the protocol names, separated by commas, in the variable.

For example: <variable name="ClientTlsProtocols">SSLv3,TLSv1,TLSv1.1,TLSv1.2</variable>

ClientTlsCiphers

In this variable, you can change the client cipher list.

Leave the variable empty to use a default cipher list.

To use a custom cipher list, type the cipher list in the variable.

For the full syntax of cipher lists, see the OpenSSL website.

PreferServerCipherOrder

The default value, 1, allows Kerio Connect decide which cipher set to use regardless of the client preferences.

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

Securing Kerio Connect

You can secure your Kerio Connect by: Restricting communication on firewall to necessary...

Configuring anti-spoofing in Kerio Connect

About Anti-spoofing Spammers can "spoof" your email address and pretend their messages are...

Password policy in Kerio Connect

To secure users and their passwords in Kerio Connect: Advise users to create strong...

Authenticating messages with DKIM

DomainKeys Identified Mail (DKIM) signs outgoing messages from Kerio Connect with a special...

Configuring DNS for DKIM

Adding a DKIM record to your DNS The process of adding a DKIM record to your DNS may vary...