To alleviate concerns regarding the use CBC (cypher block chain) ciphersuites for SMTP TLS communication, the CBC ciphersuites need to be removed from the SMTP TLS cipher list.

To disable CBC ciphers for the Messaging Gateway TLS secured communication the MTA cipher list will need to be updated on all SMG scanners. For each scanner host:

1. Log into the SMG scanner command list interface as admin
2. Export the existing SMTP TLS cipher list
   mta-control all set-tls-ciphers
3. Add "!PSK" to the active cipher list:
   mta-control all set-tls-ciphers 'ALL:!ADH:!PSK:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP:-eNULL:-aNULL'
4. Confirm the change
5. Restart the MTA service
   service mta restart

To confirm that the CBC ciphers are no longer present in the MTA cipher list run

mta-control all set-tls-ciphers | grep CBC

Note: Broadcom support cannot provide assistance with TLS negotiation issues caused by changes to the default cipher suite list other than to recommend that the ciphersuite list be returned to the default value:

mta-control all set-tls-ciphers default