Different security level on port 465 vs port 993 ?

Discussion in 'Installation/Configuration' started by Georg_Forge, Dec 8, 2025 at 11:26 PM.

  1. Georg_Forge

    Georg_Forge New Member

    The protection of my email password is very important to me. The password is transmitted, for example, on port 993 (IMAPI) and on port 465 (SMTP).

    The default configuration in ISPConfig for port 993 is state-of-the-art. (Only the preferred order of the cipher is missing.)

    However, on port 465 very weak ciphers are active, in particular also TLS 1.0 and TLS 1.1.

    Thanks to the custom config function of ISP Config it was easy to enhance the security of my own mailserver.
    I save two files inside the following path:
    /usr/local/ispconfig/server/conf-custom/install/

    Code:
    dovecot_custom.conf.master:
ssl_prefer_server_ciphers = yes
    Code:
    postfix_custom.conf.master:
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    The configuration for other ports with STARTTLS like port 25 are unchanged.

    I would like to see this as default in ISPConfig.
     
    Georg_Forge, Dec 8, 2025 at 11:26 PM
    #1
  2. remkoh

    remkoh Well-Known Member HowtoForge Supporter

    Don't blame ispconfig for that but the packages of the OS you are using.
    And the difference is probably caused by two different groups maintaining two totally different packages.

    Though I'm totally with you on customizing security using the tools provided by ispconfig, that being conf-custom.
    I too use customized config, not only for mail but websites too, to upgrade security and letting my systems score 100% on internet.nl
     
    remkoh, Dec 9, 2025 at 1:15 AM
    #2
    ahrasis likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    As mentioned by @remkoh , we use the defaults of the operating system and the packages you are using. You might want to contact its maintainer and not us if you'd like to see changes in their default settings.
     
    till, Dec 9, 2025 at 7:46 AM
    #3
    ahrasis and remkoh like this.
  4. Georg_Forge

    Georg_Forge New Member

    @remkoh
    I don't want to blame anyone.
    On the contrary, I'm very grateful for this wonderful package that perfectly meets my needs.

    @till
    Many configuration files come with the ISPconfig installation.

    e.g.
    ispconfig3_install\install\tpl\debian_postfix.conf.master

    Isn't the compilation of these individually customized config files precisely the reason that makes ISPConfig such a well-functioning overall package?
     
    Georg_Forge, Dec 9, 2025 at 9:00 AM
    #4
  5. pyte

    pyte Well-Known Member HowtoForge Supporter

    You can set a higher smtpd_tls_loglevel in postfix and check for yourself how many clients still use TLS 1.0/TLS 1.1 in your setup and then make a decision for you based on that. You can always edit the /usr/local/ispconfig/server/conf-custom/install/postfix_custom.conf.master template to make your custom postfix configuration upgrade safe.

    TLS1.0/TLS1.1 are long End-of-Life and should be removed some day, but you can easily do it for your setup right away.
     
    pyte, Dec 9, 2025 at 9:17 AM
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig changes config files only when this is required to make a service work. If it's not required, like it is here the case, it uses the defaults. And if you don't like the defaults that the package maintainer has chosen, you are free to set your own custom config or contact the maintainer of the package and ask him to adjust the defaults.

    It is functioning well currently, so no need for changes; we use the OS defaults. If you don't like the OS defaults, contact the maintainer of the packages, as I mentioned already. And to be honest, do you really think you or your server are so important that someone would take the effort to invest the resources into breaking a TLS 1.0 or TLS 1.1 connection when you deliver an email to your server, and you are secure only by using TLS 1.2?
     
    Last edited: Dec 9, 2025 at 10:00 AM
    till, Dec 9, 2025 at 9:53 AM
    #6
    ahrasis and remkoh like this.

Share This Page