Issue TLS versions and ciphers by Mozilla, issue with the last synchronisation

[MicheleB]

This evening I've tried to update the "TLS versions and ciphers by Mozilla" clicking on "Sync now" and I've received this message:
"The preset versions can differ among the services because not all services support the latest version."


After a few minutes I received the alert that the smtp service of the cloud server is down
How can I fix it?
Is necessary disable "TLS versions and ciphers by Mozilla"?
Thanks.

 

[MicheleB]

Unlike what I said before, the outgoing mail service works.
The only error that I get is from Pingdom where the smtp monitoring service for 587 port returns an error since I clicked on "Sync now".

 

[mr-wolf]

After I configured a new Plesk server and used these modern ciphers I got a complaint from a customer that he could connect anymore with Outlook 2010

It was due to these modern ciphers.

It was the first time that I restricted ciphers using Plesk
I've been restricting ciphers before, but I always did this manually using a special config file placed in /etc/nginx/conf.d

The "Plesk method" has no separate settings for mail and web

You can, easily, restrict access of older web browsers, but it can be a problem for some clients using old, paid for, mail clients.
As we are also the ones selling them those mail clients, these customers can become suspicious of our intentions to restrict their access.

Plesk should fix their cipher settings and make it separate for web and mail

 

[learning_curve]

This evening I've tried to update the "TLS versions and ciphers by Mozilla"....

FWIW We don't use this part of the SSL It extension. Mozilla has all the information / specifications / tools that are needed here: Security/Server Side TLS - MozillaWiki and Plesk already has this function via CLI: How to enable or disable TLS protocol versions in Plesk for Linux? (TLS & Ciphers)

Or, you can manully configure each individual ssl.conf file as/when you need to: apache2 / dovecot / nginx / postfix / proftpd / sw-cp-server. However, if you do this, for example with Dovecot: etc/dovecot/conf.d/11-plesk-security-ssl.conf but then... use different ciphers than those that were already configured and/or that you've subsequently configured for the default Plesk values, then AFAIK** it definitely was the case with Onyx 17.8.11, on the next Obsidian Release, the default Plesk values will always take precedence and modify those ssl.conf files so that they do match again. If they do match anyway (which has always been the case for us in Obsidian) then no conf.ssl files are changed.

Having the freedom of choice and configurable options that stay constant, regardless of upgrades, for different services, is why this:

...Plesk should fix their cipher settings and make it separate for web and mail

is definately needed, as it would make things a LOT easier, for everyone.

**Ref Upgrade: Tune Plesk to Meet PCI DSS on Linux