Hmmm, I don't get the logic of 'turning off ssl2' to increase security, so
then a client that can only use ssl2 has to use plain text, which is definitely
not as secure as ssl2.... :-) But anyway, it's a bit accademic as old clients
that require ssl2 probably hardly exist anymore.
This setting will help with your score... (restart surgemail after
changing)
G_SSL_DISABLE_SSLV2 "TRUE"
Once we have the new builds stable then an upgrade and some more setting
will get you a higher rating. I suggest you wait until next week if you
don't have an immediate problem.
ChrisP.
When I run:
https://www.ssllabs.com/ssltest/index.html
on my SurgeMail server it gets an F grade.
It is running on a Windows server box and only Surgemail uses port 443
or SSL.
SurgeMail Version 6.5a-1, Built Sep 9 2013 12:52:22, Platform Windows
(Surgeweb Enabled)
In particular, the test notes that:
* This server is not vulnerable to the Heartbleed attack. (Yay!)
* This server supports SSL 2, which is obsolete and insecure. Grade set
to F. (Boo!)
* The server supports only older protocols, but not the current best TLS
1.2. Grade capped to B. (Boo!)
Is there any way to harden SurgeMail to raise these ratings? A
Surgemail.ini setting or two? Or does in need a new build?
Thanks
Neil
--
Neil Herber
