Forward Secrecy (the ECDHE ciphers) are currently not enabled in SpamFilter. We have recently been asked to add support for it in SpamFilter, and since the OpenSSL libraries used by the new SpamFilter 4.6 do have support for them this will probably be implemented soon.

Rgds, Fritz

We'll resume to attempt support for this shortly.

In our internal alpha version we added the ability to have user-configurable cipher lists, which will allow to obtain much higher security as in this sample report below. We're still working to add FPS support, but are not there yet - there are good chances we'll be able to meet your deadline, but I cannot say for certain at this point.

#########################################################

testssl.sh v2.2  (https://testssl.sh)

($Id: testssl.sh,v 1.151 2014/12/08 09:32:50 dirkw Exp $)

   This program is free software. Redistribution + 

   modification under GPLv2 is permitted. 

   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

 Note: you can only check the server with what is

 available (ciphers/protocols) locally on your machine!

#########################################################

 Using "OpenSSL 1.0.2a 19 Mar 2015" from

 cmctrf2.local:/usr/local/bin/openssl

 (built: "reproducible build, date unspecified", platform: "darwin64-x86_64-cc")

Testing now (2015-04-29 16:00) ---> 10.211.55.7:25 (10.211.55.7) <---

 rDNS (10.211.55.7):      - 

 Couldn't determine what's running on port 25, assuming not HTTP

--> Testing Protocols 

 SSLv2      not offered (OK) 

 SSLv3      not offered (OK) 

 TLSv1      offered (OK) 

 TLSv1.1    offered (OK) 

 TLSv1.2    offered (OK) 

--> Testing standard cipher lists 

 Null Cipher              not offered (OK) 

 Anonymous NULL Cipher    not offered (OK) 

 Anonymous DH Cipher      not offered (OK) 

 40 Bit encryption        not offered (OK) 

 56 Bit encryption        Local problem: No 56 Bit encryption configured in /usr/local/bin/openssl 

 Export Cipher (general)  not offered (OK) 

 Low (<=64 Bit)           not offered (OK) 

 DES Cipher               not offered (OK) 

 Triple DES Cipher        offered

 Medium grade encryption  not offered

 High grade encryption    offered (OK) 

--> Testing server defaults (Server Hello) 

 Negotiated protocol       TLSv1.2 

 Negotiated cipher         AES256-GCM-SHA384 

 Server key size           2048 bit

 TLS server extensions     renegotiation info, session ticket, heartbeat

 Session Tickets RFC 5077  300 seconds

 OCSP stapling             not offered

--> Testing specific vulnerabilities 

 Renegotiation (CVE 2009-3555)             Patched Server detected (0,1), probably ok 

 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)  (not using HTTP anyway)

--> Testing all locally available ciphers against the server 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits

-------------------------------------------------------------------------

 x9d     AES256-GCM-SHA384              RSA        AESGCM     256                                                                                     

 x3d     AES256-SHA256                  RSA        AES        256                                                                                     

 x35     AES256-SHA                     RSA        AES        256                                                                                     

 x84     CAMELLIA256-SHA                RSA        Camellia   256                                                                                     

 x9c     AES128-GCM-SHA256              RSA        AESGCM     128                                                                                     

 x3c     AES128-SHA256                  RSA        AES        128                                                                                     

 x2f     AES128-SHA                     RSA        AES        128                                                                                     

 x41     CAMELLIA128-SHA                RSA        Camellia   128                                                                                     

 x0a     DES-CBC3-SHA                   RSA        3DES       168                                                                                     

--> Checking RC4 Ciphers 

no RC4 ciphers detected (OK) 

--> Testing (Perfect) Forward Secrecy  (P)FS)  -- omitting 3DES, RC4 and Null Encryption here

No PFS available 

Done now (2015-04-29 16:00) ---> 10.211.55.7:25 (10.211.55.7) <---

We have good news on the FPS ciphers. We're testing an internal alpha version now that is able to support them. We will likely release it publicly within the next 3-4 days. 

FYI we have pre-released SpamFilter v4.7.0.136 in the registered user area - this build supports PFS as requested.

SSLCipherList=AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH

Where do we find out the syntax for this and what we can add?  Is it open ssl or something?

Like others have mentioned in this board I also have problems if I disable anything :-(

If I disable TLS 1, someone is going to complain.  The issue is probably the sending server, but I look like the badguy so I leave it enabled.

The recent version disabled SSL3 due to the POODLE vulnerability.  Guess what happens, I start getting email from people that they can't get email from someone.  It is happening on a large enough scale that I must enable SSL3 again.

From my POOLE reading, it looks like if you disable SSLv3+CBC you might not be vulnerable?  I would like to try and disable the CBC cipher but no idea how to go about it.

Some instructions here for anyone who is interested:

http://www.openssl.org/docs/apps/ciphers.html" rel="nofollow - https://www.openssl.org/docs/apps/ciphers.html

For the syntax - yes, it is the OpenSSL one since SpamFilter's SSL libraries are based on that. The cipher list you're using looks pretty good. Another one we've tested for a while with decent results is this one: