==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: CentOS7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? yes
- Related log if you're reporting an issue:  na
====

Just a tip for anyone looking to tighten their Apache (or nginx) SSL config.  I ran into this today and thought I'd share.

I had some users reporting that when visiting the mail site, they had browser warnings or outright preventing them from accessing the site.  They told me their employers have tightened down MSIE's settings to disallow access to any sites not employing secure SSL/TLS configurations.

Also, I should mention I do have a purchased cert.

Here's what I did to fix the problem -

1. Went to SSL Labs to confirm my certificate was happy and to see my baseline configuration status.  https://www.ssllabs.com/ssltest/

2. I was rating OK, but MSIE with SSL disabled (only TLS 1.0, 1.1, and 1.2 enabled) were not able to access the site.

3. I went to the Mozilla SSL config generator and chose Apache, Modern, and server version 2.4.6 with openssl version 1.0.1e.

4. I took the configuration it generated, and noted that config statements need to be added to /etc/httpd/conf.d/ssl.conf in both the "virtual host" stanza, and also outside of it. 

5. I searched for and commented out the lines in my current ssl.conf that were going to be replaced by config statements generated during step 4. 

6. I inserted the statements generated in step 4 into both the main section and the "virtual server" section of ssl.conf.

7. Restarted httpd

8. Checked the site on SSL Labs, now scoring an "A+". 

9. Tested from MSIE with only TLS enabled, and it worked fine now.

Hopes this helps the next guy.