I recently had email from a client who's 'friend' works for an independent pentester company.
In his report he flagged up the following;
Risk: Medium: TCP 443 / 993
The remote service supports the use of SSL ciphers that offer medium encryption strength; this is currently regarded as those with key length less than 112 bits.
Note: This particular attack is considerably easier to exploit if the attacker gained access to the LAN.
Reconfigure the service (if possible) to reject the use of medium strength ciphers.
Risk: Medium: TCP 993
The remote service by default uses SSL v3.0, which is known to have several cryptographic flaws. An attacker can exploit these flaws to conduct a man-in-the-middle attack between a client and server or simply decrypt the captured traffic afterwards with a modern machine to read the data sent.
Note: The use of SSL v3 is deemed by NIST as a no longer acceptable means
for secure communications. As of the date of enforcement, PCI DSS v3.1, any version of SSL will not meet the PCI SSC’s definitions of ‘strong cryptography’ and will result in a fail of PCI DSS requirements.
Consult the service’s documentation to disable the use of SSL and instead use TLS 1.1 as a minimum – However its successor TLS 1.2 is recommended.
Risk: Low: TCP 443 / 993
The remote service supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes, decreasing its randomness. If an attacker is able to capture many cipher texts, they could then derive the plaintext.
Reconfigure the service to reject RC4 cipher suites. Previous to above, consider upgrading to TLS1.2 with AES-GCM.
Risk: Low: TCP 443 / 993
The remote service supports the use of a block cipher with 64-bit blocks. This has been identified to be exploitable by a vulnerability known as SWEET32.
In academia proof-of-concepts have shown that an attacker can leverage this vulnerability in as little as 30 hours and recover cookies used to track logged in users. The attacker can then simply add these cookies to their browser and they will then be logged in as the user.
Reconfigure the service to reject the use of all 64-bit block ciphers.
I am certainly not qualified to form a response to the above however I have figured that so few of the staff ever used Horde or POP3S remotely I would disable those services in Server Manager and remove the port rules on the router [Ports 995 & 443]
The phone need IMAPS so that's a must however I am getting the settings for SMTP round my neck a bit... I have the MX record pointing at the WANIP and hence port 25 forwarded to SME.
In Server Manager > Email Settings > Email Reception > SMTP Authentication - if I 'Disable' does that prevent all external access thus preventing receiving mail from another MTA on 25? Would that also stop Outlook on the LAN sending to SME? In what scenario would the Secure SMTP only be used in?
Thanks in advance for some clarity on this