Removing DES and 3DES ciphers in linux RedHat 6.8

Are those files actualy read/included by the config of the servers.
/etc/nginx/nginx.conf   resp/ /etc/httpd/httpd.conf

Most server have a configfile, all self respecting server allow to setup SSL settings, most also have a way to specify SSL Protocols.
But it is server dependant.... as the software needs to read the config file and setup the right calls to the ssl stack.

IN addition to the above, you could disable ciphers system wide by editing the OpenSSL.conf file.

Usually, you have to reload/restart the web server after this type of change.
Are you disabling protocols sslv2, sslv3, tls10?
These configs are read in during start of service. Sone changes can be applied by reload, some require a stop/start.....

Elaborating a bit:

Ftp server: 21,
Mailserver: 465,
imaps: 993,
pops: 995 and
Apache? / HaProxy? ...8443?

The 465, 993 and 995 might be proxied by nginx, then you have to check the mail { }  sections there.

Also disable SSL2 & 3 as mentioned before as those are broken by now.
(And be sure your SSL library is up to date.)
Dont forget to get your SSL certificates to at least use SHA-256 hashes or they will be unusable soon.

Here is an nginx spec:
        ssl_session_timeout 5m;
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ; # required by SNI, upto SSL3 broken
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT40:!EXPORT56:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

Thank you for your responses, I have edited those files before, but in two separate scans these ciphers are still showing. Could there be any other files that might includes these ciphers server wide?

Thanks,

Jorge

Thank you, it seems as pop3 and imap are among the ones listening, I just need to know where their config files are located

lsof -i:995
lsof -i:993
This will answer which application is serving it courier, postfix, dovcot, exim, etc. once you identify what is serving, locating the config might be come clearer if it is not in /etc
lsof -p pid_from_lsof
Look for open config files In the resulting list.

.....

nginx might as well proxy those.

netstat -antp

should give you a list of all processes id + running program with a TCP connection. (the p does the trick).

This is the result I got from those commands. I tried to challenge  the results with scanning company and they denied it saying it was a legitimate warning and that the ciphers were still showing in these ports.

I think I need the command to close port 21 as I'v set up the server to use port 22 for secure ftp.

Also I need to find the files to edit ciphers on imaps and pcsync-https

[root@web ~]# lsof -i:995
COMMAND     PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
couriertc 15408 root    3u  IPv6 30350204      0t0  TCP *:pop3s (LISTEN)

[root@web ~]# lsof -i:993
COMMAND     PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
couriertl 13674 root    0u  IPv6 31208574      0t0  TCP web.vacationpeople.net:imaps->47.203.104.211:61257 (ESTABLISHED)
couriertl 13677 root    0u  IPv6 31208577      0t0  TCP web.vacationpeople.net:imaps->47.203.104.211:61256 (ESTABLISHED)
couriertl 13697 root    0u  IPv6 31208706      0t0  TCP web.vacationpeople.net:imaps->47.203.104.211:61275 (ESTABLISHED)
couriertl 13698 root    0u  IPv6 31208707      0t0  TCP web.vacationpeople.net:imaps->47.203.104.211:61276 (ESTABLISHED)
couriertc 15279 root    3u  IPv6 30350035      0t0  TCP *:imaps (LISTEN)
[root@web ~]#

[root@web ~]# lsof -i:21
COMMAND  PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
xinetd  9528 root    5u  IPv6 29879964      0t0  TCP *:ftp (LISTEN)
[root@web ~]# lsof -i:8443
COMMAND     PID         USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sw-cp-ser 19694         root   12u  IPv4 21678480      0t0  TCP *:pcsync-https (LISTEN)
sw-cp-ser 19694         root   14u  IPv6 21678482      0t0  TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server   12u  IPv4 21678480      0t0  TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server   14u  IPv6 21678482      0t0  TCP *:pcsync-https (LISTEN)

Thank you for your help with this.
Jorge

I also ran this command and I can see that DES ciphers are still in the server.

nmap --script ssl-enum-ciphers -p 21  "000.00.000.00"

results for ports 21, 993, 995 and 8443

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:33 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 21  "000.00.000.00"

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:36 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT   STATE SERVICE
21/tcp open  ftp
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 993  "000.00.000.00"

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:37 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 995  "000.00.000.00"

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:38 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT    STATE SERVICE
995/tcp open  pop3s
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 8443  "000.00.000.00"

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:39 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000034s latency).
PORT     STATE SERVICE
8443/tcp open  https-alt
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

FTP use the lsof -i:21 to identify which FTP server you are running
The same for IMAPs
8443 is likely tomcat/Catalina if not Apache configured to listen on this port for other reason meaning beside the SSL.conf you have <something>.conf that address configure Apache to listen on port 8443.


From the available ciphers/protocols I can not tell which application...is ...

DES isn't there any more 3DES is giving 128 bits of key..., to disable 3DES follow the rules of engagement to disable them per service.
Changing the portnumer of FTP to 22 won't help, port 22 is SSH... so if you dropped an ftp server and started using SSH (sftp = rcp over ssh) then it is ok.

You have show the output of lsof -i, that still doesn't show the service process. of commandline there of..
For cuourier (pops, imaps, 993, 995) check out the config files in /etc/courier-imap/  or /etc/courier/ directories.
(depends on build method).
There sould be an imap-ssl and a pop-ssl  file.
that file contains section along:

Make sure that you setup to disable SSL2 and SSL3
En the allowed string of protocols, setup a decent DH negotiation (>2048 bits).
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version.  The possible versions are:
#
# OpenSSL:
#
# SSL3 - SSLv3
# SSL23 - all protocols (including TLS 1.x protocols)
# TLS1 - TLS1
# TLSv1.1 - TLS1.1
# TLSv1.2 - TLS1.2
#
# Leave it unset to use any protocol except SSL 2.

##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# OpenSSL:
#
# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
#
# GnuTLS:
#
TLS_CIPHER_LIST="HIGH:MEDIUM"
#
# The actual list of available ciphers depend on the options GnuTLS was
# compiled against. The possible ciphers are:
#
# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
#
# Also, the following aliases:
#
# HIGH -- all ciphers that use more than a 128 bit key size
# MEDIUM -- all ciphers that use a 128 bit key size
# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
#        is not included
# ALL -- all ciphers except the NULL cipher

##NAME: TLS_MIN_DH_BITS:0
#
# TLS_MIN_DH_BITS=n
#
# GnuTLS only:
#
# Set the minimum number of acceptable bits for a DH key exchange.
#
# See GnuTLS documentation, gnutls_priority_init(3) for additional
# documentation.

##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
# extension, as opposed to IMAP over SSL on port 993.
#
# It takes the same values for OpenSSL as TLS_PROTOCOL

##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
# undefined

Oh, Missed the LSOF post.

Do you have Courier-MTA deployed, or do you as noci pointed out use courier-imap/Courier-components?
I think courier-imap includes the IMAP/POP handlers. configs.....

First of all, thank you both for all the help, I use use courier-imap and I just tried to modify imapd-ssl and pop3d-ssl but no changes so far. When I run the command to show the ciphers list, 3DES still shows under TLSv1.1 and TLSv1.2

Could you post what changes you made and restarted the services. At times, certain changes do not take effect on reload of config...

This are the files under courier-imap directory:

[root@web courier-imap]# ls -l
total 244
drwxr-xr-x 2 root root  4096 Nov 29 15:59 authlib
-rw------- 1 root root  3398 Nov 22 17:03 courier.pem
-rw-r--r-- 1 root root 15625 Nov 29 15:59 imapd
-rw------- 1 root root   348 Oct 26 04:11 imapd.cnf
-rw------- 1 root root 15625 Oct 26 04:11 imapd.dist
-rw-r--r-- 1 root root   168 Nov 21 13:22 imapd.pci.1
-rw-r--r-- 1 root root   173 Nov 21 13:22 imapd.pci.2
-rw-r--r-- 1 root root    39 Nov 21 13:22 imapd.pci.3
-rw-r--r-- 1 root root    49 Nov 21 13:22 imapd.pci.4
-rw-r--r-- 1 root root  9977 Dec  1 10:00 imapd-ssl
-rw-r--r-- 1 root root  9955 Dec  1 09:46 imapd-ssl-bak
-rw------- 1 root root 10020 Oct 26 04:11 imapd-ssl.dist
-rw------- 1 root root 10020 Aug 19  2015 imapd-ssl.rpmnew
-rw-r--r-- 1 root root  9522 Sep 24 08:14 imapd-ssl.rpmsave
-rw-r--r-- 1 root root  4113 Nov 29 15:59 pop3d
-rw------- 1 root root   348 Oct 26 04:11 pop3d.cnf
-rw------- 1 root root  4098 Oct 26 04:11 pop3d.dist
-rw-r--r-- 1 root root    54 Nov 21 13:22 pop3d.pci.1
-rw-r--r-- 1 root root    59 Nov 21 13:22 pop3d.pci.2
-rw-r--r-- 1 root root    27 Nov 21 13:22 pop3d.pci.3
-rw-r--r-- 1 root root    32 Nov 21 13:22 pop3d.pci.4
-rw------- 1 root root  4098 Aug 19  2015 pop3d.rpmnew
-rw-r--r-- 1 root root  4125 Sep 24 08:14 pop3d.rpmsave
-rw-r--r-- 1 root root  8997 Dec  1 09:59 pop3d-ssl
-rw-r--r-- 1 root root  8975 Dec  1 09:47 pop3d-ssl-bak
-rw------- 1 root root  9067 Oct 26 04:11 pop3d-ssl.dist
-rw------- 1 root root  9067 Aug 19  2015 pop3d-ssl.rpmnew
-rw-r--r-- 1 root root  8542 Sep 24 08:14 pop3d-ssl.rpmsave
-rw-r--r-- 1 root root   516 Oct 26 04:11 quotawarnmsg.example
drwxr-xr-x 2 root root  4096 Nov 20 13:25 shared
drwxr-xr-x 2 root root  4096 Oct 26 04:11 shared.tmp
[root@web courier-imap]#

I made backups of both imapd-ssl and pop3d-ssl before doing any modifications.

Sorry, I don't know how to copy an entire line with nano, so I can only copy and paste what I can see stretching terminal to the width of my monitor.

image-ssl:

#TLS_CIPHER_LIST=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
TLS_CIPHER_LIST=HIGH
TLS_STARTTLS_PROTOCOL=TLSv1.1+
TLS_TRUSTCERTS=/etc/courier-imap/courier.pem

pop3d-ssl:

#TLS_CIPHER_LIST=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
TLS_CIPHER_LIST=HIGH
TLS_STARTTLS_PROTOCOL=TLSv1.1+
TLS_TRUSTCERTS=/etc/courier-imap/courier.pem

So I just commented out TLS_CIPHERS_LIST and changed it to HIGH and restarted the service

Both your commented out TLS_cipher_lists the last items in the list is +3des if you do not want 3des available, replace it with -3DES and test.
and restart the service.

TLS_LIST_cipher=HIGH is defaulting to high bit requirement, but will not restrict the available ciphers that match the high bit.
add a -3des HIGH:-3DES on the service that the logs indicate is used less.
Then run the nmap to see available ciphers....

THE SSL part might now offer SSLv2andSSLv3 :!SSLv2!:SSLV3 might need to be added to the TLS_CIPHER_LIST

I made those changes and restarted the services and they are still showing.

I just ran this command in my server and got this:

[root@web ~]# openssl ciphers -v '3DES:+RSA'
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
[root@web ~]#

noci I think we are going in the right direction!

I was able to remove the ciphers from ports 993, 995 and 21, now I'm just struggling with port 8443, I think it is httpd where I go to conf.d and under that directory, I have edited ssl.conf but nothing.

I ran netstat -pant and got:
tcp        0      0 :::8443                     :::*                        LISTEN      19694/sw-cp-server

Not sure what this server is, what are it's config files?
There look for SSL / TLS settings.

somewhere below: /etc/sw-cp-server/???
try to find the right file(s) with:
egrep -lri '(ssl|tls)'  /etc/sw-cp-server

[root@web conf.d]# egrep -lri '(ssl|tls)'  /etc/sw-cp-server
/etc/sw-cp-server/conf.d/plesk.conf
/etc/sw-cp-server/conf.d/ipv6_ports.inc
/etc/sw-cp-server/conf.d/ssl.conf
[root@web conf.d]#

I already tried editing cons.d/ssl.conf but no luck

This is what I edited on /etc/sw-cp-server/conf.d/ssl.conf

ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES:!3DES:!LOW;
#ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;

did you restart the server after editing?

I just changed the +3DES to -3DES but no change

Not the hold server but I did restart the httpd service

the service on port 8443 needs to be restarted!

I believe it is httpd which is the one I have restarted along with apache and nginx

the program running there is called sw-cp-server...  not httpd or nginx...

You may find it with:

grep -ri sw-cp-server /etc/init.d/

Not sure where it is with systemd

That was it! Thanks!!!! I ran: service sw-cp-server restart and checked again and the 3DES ciphers are gone!

I'm running the 2 scans that were giving me the bad results and I will update this question and close it.

Thanks you so much to both.

Thank you so much for your help, the scans PASSED!

Note, editing /etc/OpenSSL.conf is a system wide change that would apply to all dynamically linked to the OpenSSL libraries.
Glad to hear you've got it resolved.

Thank you very much to both of you for your guidance in resolving this issue!