Author Archives: Dave Warren (everything-mdaemon.com)

Disabling weak SSL protocols and ciphers

Posted on by No Comments ↓

MDaemon relies upon Windows to provide SSL services. This includes modern SSL versions as well as some older, less secure protocols and cyphers. You can modify the Windows registry to increase the security of your SSL implementation, at the cost that very old clients may have issues.

To disable protocols PCT1 and SSL2.0, use the Disable-PCT-1.0-SSL-2.0-and-weak-ciphers.reg file available in RAR or ZIP format. Note that the RAR has an authenticity verification signature, signed by Dave Warren and should not be used if this signature is missing.

The contents of the .REG are located below, be aware that some word-wrap issues might occur. Please use the RAR or ZIP downloads above.

To disable PCT 1.0 and SSL 2.0:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

And to remove weak ciphers:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]

Please be sure to create a full backup of your system before proceeding, modifying the Windows Registry can be dangerous and can result in unexpected behaviours.

rfc-ignorant.org ceasing operation – Remove from your configuration

Posted on by No Comments ↓

Please see http://rfc-ignorant.org/endofanera.php for details.

While I never personally used their services, or found any real value, thanks to RFC-Ignorant for their services over the years.

Users of modern MDaemon releases don’t need to modify SpamAssassin, just ensure that your spam filter updates are enabled and the rules will automatically be disabled as needed.

list.dsbl.org listing the world

Posted on by No Comments ↓

It appears that list.dsbl.org has started listing the world as of today. This list has been inactive for around 4 years now, so if you’re using it in MDaemon, please remove it from your MDaemon DNS-BL immediately.

While we’re on the topic, if you’re running an MDaemon version earlier than 12.5.0, please either upgrade or follow the instructions in this post from 2009 to remove DSBL lookups from SpamAssassin. MDaemon 12.5.0 and higher should not query this list from SpamAssassin.