Resolving MS15-055 on cPanel Servers

4.7/5 - (12 votes)

If you’re a hosting provider with cPanel servers that were set up prior to version 11.46, you may be hearing from customers using Outlook ever since MS15-055 was released by Microsoft on May 12.  This most recent Outlook upgrade prevents the software from connecting to a POP or IMAP server that uses DH keys that are less than 1024 bits in length.

By default, these keys are not regenerated on a regular basis so if your server was set up prior to 11.46 and you are using Courier, your DH keys are probably either 512 or 768 bits, and Outlook clients that have the update applied will not be able to receive email.  The simple fix is to regenerate the key.

Courier

  1. Edit /usr/lib/courier-imap/share/mkdhparams and change the value of $BITS to 2048. If you’re on cPanel 11.46 or higher presently, you may not need to make this change
  2. Run the same script: /usr/lib/courier-imap/share/mkdhparams
  3. Restart both courier-imap and courier-authlib
  4. The user may need to restart Outlook on their end to be able to connect after this change is made

On step #2, you should see the key regenerating, and it can take up to 1-2 minutes to complete.  If you run the script and it immediately exits, it is likely because the key file (/usr/lib/courier-imap/share/dhparams.pem) is less than 25 days old, which the script is configured to ignore. If that’s the case, simply delete the key and re-run the script.

You can test the key size with the following command:

[root@server ~]# openssl dhparam -inform PEM -in /usr/lib/courier-imap/share/dhparams.pem -text
 PKCS#3 DH Parameters: (2048 bit)
 prime:
<removed>
 generator: 2 (0x2)
-----BEGIN DH PARAMETERS-----
<removed>
-----END DH PARAMETERS-----

You can easily add a cron job to run the mkdhparams script every month to make sure your key is up to date.  To do this, create a file called /etc/cron.monthly/courier_dhparams.cron with the following contents:

#!/bin/sh

/usr/lib/courier-imap/share/mkdhparams

Make sure the script has executable permissions, and reload crond.

Dovecot

  1. Edit /etc/pki/dovecot/dovecot-openssl.cnf, change default_bits to 2048
  2. Delete /var/lib/dovecot/ssl-parameters.dat
  3. Run /usr/libexec/dovecot/ssl-params
  4. Restart dovecot

To force Dovecot to regenerate the key on a regular basis, do the following:

Edit /var/cpanel/conf/dovecot/main. Add (or change, if it already exists) the following line:

ssl_parameters_regenerate: “30d”

Save the file. Now do the following:

cd /var/cpanel/templates/dovecot2.2

cp main.default main.local

Open main.local in a text editor and find the following line:

ssl_parameters_regenerate = [% ssl_parameters_regenerate %]

Under the [%- END %] block for this parameter, add:

ssl_dh_parameters_length = 2048

Then run /scripts/builddovecotconf and restart Dovecot.  Keep in mind that it can take some time for the key to generate, so you don’t want this to run too often.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Log in