The Encryption Management Server Proxy service accepts SMTP connections over TLS using the DES-CBC3-SHA cipher. This is a Triple DES cipher and is not high grade. However, if the sending server is configured to use only high grade ciphers, the Proxy service accepts the AES256-GCM-SHA384 cipher.

The proxy service will also use the DES-CBC3-SHA cipher by default when it connects to another mail server, provided the receiving mail server is configured to allow that cipher. If the receiving server accepts only high grade ciphers, the proxy service uses the ECDHE-RSA-AES256-GCM-SHA384 cipher.

Symantec Encryption Management Server 3.4.2 and above.

To mitigate the impact of this issue, ensure that the mail servers that Encryption Management Server proxies from and to use only high grade ciphers.

You can also ensure that only specific mail servers are permitted to connect to Encryption Management Server. Access can be restricted from the administration console by doing the following:

1. Navigate to Mail / Proxies.
2. Click on the proxy entry to open the Edit Mail Proxy page.
3. Click on the Restrict Access button.
4. Enable the option Enable Access Control for Connector 1 where 1 is the connection number.
5. Select whether to Block or Allow addresses. Allowing specific addresses will block all others.
6. Select Hostname/IP or IP Range.
7. Enter the IP address, hostname or IP range to block or allow and click the Add button.
8. Click the Save button.

Broadcom is committed to product quality and satisfied customers. This issue is currently being considered by Broadcom to be addressed in a forthcoming version or Maintenance Pack of the product. Please be sure to refer back to this article periodically as any changes to the status of the issue will be reflected here.

Jira: EPG-22242