1
Cipher Suites on Windows and SmarterMail
Question asked by Manuel - June 13, 2015 at 5:00 AM
Answered
Hello,
I have a good anti-virus embedded in my firewall, and I would like to take advantage of, to block virus to my SmarterMail server.
However, almost all the connections to my server is encripted with TLS or SSL.
My firewall can decrypt these inbound connections, but however, supports only some specific Cipher Suites:
 
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000A)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

I have Windows Server 2008 R2.
I think, by default are enabled all Cipher Suites.
 
If I config Windows to use only the Cipher Suites listed above, what could be the drawbacks?
SmarterMail work?
Or risk of errors TLS / SSL with some mail servers that are unable to send email to me?
 
Does anyone have experience about this?
 
 
Tnx in advanced
Manuel

3 Replies

Reply to Thread
1
Joe Wolf Replied
June 13, 2015 at 5:31 AM
You shouldn't be doing this at the Firewall level.  The Cypher suite handshake needs to happen at the server level.
 
The simple and easiest is to download IIS Crypto : https://www.nartac.com/Products/IISCrypto/IISCryptoCli40.exe
 
First check you server grade at SSL Labs: https://www.ssllabs.com/ssltest/   And print out the results.
 
It's just an .exe you can put on your desktop... it's not an installer, etc.
 
Run IISCrypto and hit the Best Practices button.
 
Reboot server.  
 
Re-run your server grade at SSL Labs: https://www.ssllabs.com/ssltest/
 
Problem solved.
Thanks,
-Joe
0
Manuel Replied
June 13, 2015 at 9:09 AM
Hello Joe,
yes, the Cipher Suites handshake need to happen at the server level, and in this I need to configure.
But, if I restrict the number of cipher suites available, some remote server that want to send e-mail to my server, fail to establishing connection, or use in any case one of the cipher suite that I am available ?
0
Bruce Barnes Replied
June 13, 2015 at 7:25 PM
ALL SSL protocols should now be DISABLED - completely.
 
TLS is the only secure protocol.  TLS 1.0 is, technically, depreciated as well, but, if disabled, will disable most browsers and connectivity for lots of devices.
 
TLS 1.1 and TLS 1.2 are the only two trusted protocols.
 
Many ciphers need to be disabled as well and two new ones need to be added.
 
If this product does not work for you: https://www.nartac.com/Products/IISCrypto/IISCryptoCli40.exe, then contact me offlist and I can send you a ZIP file with two REG imports which will do everything, on both server 2008 and server 2012.
 
To take full advantage of the new protocols and ciphers, you need SERVER 2008 R2, or SERVER 2012 R2.
 
Server 2003 is dead - all support ends at midnight on 14 July, 2015 - including support from antivirus vendors who will no longer be pushing virus definitions or supporting products which run on Server 2003 after that date.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread