Tuning ciphers and TLS

Technical overview of cipher suites:
https://en.wikipedia.org/wiki/Cipher_suite

Mozilla’s intermediate (default) and modern compatibility list:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
in yellow: intermediate; in green: modern
Test with https://www.immuniweb.com/ssl/ (add also port :587) and https://en.internet.nl.
!DH: at the beginning of the string can switch off Diffie-Hellman key exchange.
Strong ciphers as suggested on https://cipherli.st can undesirably disable TLSv1.0 and TLSv1.1.

CustomBuild writes configuration in DirectAdmin in CentOS by:
# cd /usr/local/directadmin/custombuild
(# ./build set dovecot_conf yes) (default Dovecot configuration instead of CustomBuild configuration)
(# ./build set ssl_configuration old) (CustomBuild ssl_configuration from default ‘intermediate’ to ‘old’)
# ./build update
# ./build update_versions
# ./build rewrite_confs
# ./build exim_conf
# ./build dovecot_conf
writing to
/etc/httpd/conf/extra/httpd-ssl.conf
/etc/nginx/nginx-defaults.conf
/etc/dovecot/conf/ssl.conf

How to maintain SSL ciphers in plugin CustomBuild in DirectAdmin in CentOS:
Web server:
# cp /usr/local/directadmin/custombuild/configure/ap2/conf/extra/httpd-ssl.conf /usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-ssl.conf
# cp /usr/local/directadmin/custombuild/configure/nginx/conf/nginx-defaults.conf /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-defaults.conf
# cp /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-defaults.conf /usr/local/directadmin/custombuild/custom/nginx_reverse/conf/nginx-defaults.conf
Email POP3 / IMAP:
# vi /etc/dovecot/conf.d/options.conf (such a .conf file for customization must exist for configuration)
or having default Dovecot configuration ‘yes’ into ‘no’ in order to use CustomBuild:
# cp /usr/local/directadmin/custombuild/configure/dovecot/conf/ssl.conf /usr/local/directadmin/custombuild/custom/dovecot/conf/ssl.conf
Note: email clients using SSLv3 / TLSv1.0, still exist.
Email incoming / outbound:
# vi /etc/exim.variables.conf.custom
openssl_options=+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +no_compression +cipher_server_preference
tls_require_ciphers=!DH:[keep your default ciphers here]
1. If customized for transport to an mail service on another server, check if this was correctly put in included files.
2. Use the stable button within CB’s ‘Update Software Configuration’ to compose Exim configuration.
3. If necessary, rebuild Exim within CB’s ‘Build Software’ menu.
4. Do not prioritize using ‘==’ and do not paste spaces such as ‘ = ‘.
5. Avoid a customized file in CustomBuild: /usr/local/directadmin/custombuild/custom/exim/exim.conf.

SSL ciphers in Plesk in CentOS are located in:
/etc/httpd/conf.d/ssl.conf
/etc/nginx/conf.d/ssl.conf
/etc/postfix/main.cf
/etc/dovecot/conf.d/11-plesk-security-ssl.conf

Workaround to rewrite ciphers in Plesk (in case of HTTP/2):
# plesk bin http2_pref disable
# plesk bin http2_pref enable
And restart services.