This is a utility for the Windows version of the standalone Opera Mail program (version 1.0.1044, released in 2016) that lets you disable cipher suites that are no longer secure.
(In the future, there might be a version for OS X; as a temporary solution, you can try copying the opssl6.dat file from an installation of Opera 12.16 that has had its security tightened appropriately and then doing step 4 below.)
Use this program at your own risk.
If this program is useful to you, please consider making a small donation.
Instructions
Before using the program, make a backup of the opssl6.dat file. You can get the location of this file by choosing "About Opera Mail" from the Help menu and looking at "Opera directory".
Run the program (with Opera Mail not running) and disable the cipher suites you want. Cipher suites are listed in the approximate order of their security from best to worst regarding forward secrecy, algorithm security, and key size. The "recommended" cipher suites are those that the Qualys SSL server test marks as providing forward secrecy and not being "weak" as of February 2020.
To verify the new configuration, the included omcs.mbs file can be imported into Opera Mail as a "generic mbox file". It shows the Web site How's My SSL? (as unfortunately the Qualys test cannot be embedded in an HTML iframe).
You may want to disable protocols older than TLS 1.2 (by default, TLS 1.0, 1.1, and 1.2 are enabled). To do this, add the following lines at the end of your operaprefs.ini file, which is in the same folder as the opssl6.dat file:
[Security Prefs]
Enable SSL v2=0
Enable SSL v3=0
Enable TLS v1.0=0
Enable TLS v1.1=0
Enable TLS v1.2=1
A future version of the cipher selector might automate this. The lines regarding SSL 2 and 3 are there for good measure; they might not actually be needed.
If you find that you cannot connect to your mail server anymore, enable more cipher suites until you can connect again. Periodically revisit this procedure as security best practices change continuously.