1
Cipher Suites on Windows and SmarterMail
Question asked by Manuel - 6/13/2015 at 5:00 AM
Answered
Hello,
I have a good anti-virus embedded in my firewall, and I would like to take advantage of, to block virus to my SmarterMail server.
However, almost all the connections to my server is encripted with TLS or SSL.
My firewall can decrypt these inbound connections, but however, supports only some specific Cipher Suites:
 
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

I have Windows Server 2008 R2.
I think, by default are enabled all Cipher Suites.
 
If I config Windows to use only the Cipher Suites listed above, what could be the drawbacks?
SmarterMail work?
Or risk of errors TLS / SSL with some mail servers that are unable to send email to me?
 
Does anyone have experience about this?
 
 
Tnx in advanced
Manuel
GRAFFITI — It's Communication
Riva del Garda (TN), I-38066 – Località Pasina 46
Milano, I-20129 - via Lamberto De Bernardi 1
Verona, I-37134 - via Legnago 126
San Francisco, US-94111 California – 275 Battery St, Suite 2600
website: www.graffiti.it

4 Replies

Reply to Thread
1
Joe Wolf Replied
Marked As Answer
You shouldn't be doing this at the Firewall level.  The Cypher suite handshake needs to happen at the server level.
 
The simple and easiest is to download IIS Crypto : https://www.nartac.com/Products/IISCrypto/IISCryptoCli40.exe
 
First check you server grade at SSL Labs: https://www.ssllabs.com/ssltest/   And print out the results.
 
It's just an .exe you can put on your desktop... it's not an installer, etc.
 
Run IISCrypto and hit the Best Practices button.
 
Reboot server.  
 
Re-run your server grade at SSL Labs: https://www.ssllabs.com/ssltest/
 
Problem solved.
Thanks, -Joe
0
Manuel Replied
Hello Joe,
yes, the Cipher Suites handshake need to happen at the server level, and in this I need to configure.
But, if I restrict the number of cipher suites available, some remote server that want to send e-mail to my server, fail to establishing connection, or use in any case one of the cipher suite that I am available ?
GRAFFITI — It's Communication Riva del Garda (TN), I-38066 – Località Pasina 46 Milano, I-20129 - via Lamberto De Bernardi 1 Verona, I-37134 - via Legnago 126 San Francisco, US-94111 California – 275 Battery St, Suite 2600 website: www.graffiti.it
0
Joe Wolf Replied
I run the Best Practices on IIS Crypto and I'm not aware of any problem with any server not being able to connect. Keep in mind that unless you FORCE TLS any server can still send unencrypted if needed.
Thanks, -Joe
0
Bruce Barnes Replied
ALL SSL protocols should now be DISABLED - completely.
 
TLS is the only secure protocol.  TLS 1.0 is, technically, depreciated as well, but, if disabled, will disable most browsers and connectivity for lots of devices.
 
TLS 1.1 and TLS 1.2 are the only two trusted protocols.
 
Many ciphers need to be disabled as well and two new ones need to be added.
 
If this product does not work for you: https://www.nartac.com/Products/IISCrypto/IISCryptoCli40.exe, then contact me offlist and I can send you a ZIP file with two REG imports which will do everything, on both server 2008 and server 2012.
 
To take full advantage of the new protocols and ciphers, you need SERVER 2008 R2, or SERVER 2012 R2.
 
Server 2003 is dead - all support ends at midnight on 14 July, 2015 - including support from antivirus vendors who will no longer be pushing virus definitions or supporting products which run on Server 2003 after that date.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread