Dovecot

  • Service: Dovecot (IMAP and POP3)
  • Ports (SSL): 993, 995
  • Ports (non-SSL): 143, 110

In WHM -> Home -> Service Configuration -> Mailserver Configuration scroll down to the bottom and select “Use Default Values” to populate the SSL Ciphers and protocols.  Also check this setting.

Allow Plaintext Authentication (from remote clients) = No

I don’t use POP3 (port 995) so I’ve disabled it on my server.  If you constantly have clients who inadvertently connect to POP3 and end up deleting their email off the server, and you don’t otherwise have a reason to have it enabled, it’s simple enough to disable there in the Mailserver Configuration.  Just uncheck it.

Also go to WHM → Home → Service Configuration → Service Manager and disable POP3 there.  Don’t forget to close port 995 in the ConfigServer Firewall.

Check to make sure TLS 1.0 and 1.1 have been disabled
anna@xps:~$ nmap miss.annahost.org -p 993 --script ssl-enum-ciphers

Starting Nmap 7.01 ( https://nmap.org ) at 2018-06-23 19:46 CDT
Nmap scan report for miss.annahost.org (162.246.58.251)
Host is up (0.045s latency).
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.87 seconds