SHA256 Hash Support
Idea shared by James Grangeia - 12/22/2014 at 1:38 PM
Proposed
So my SSL provider sent out an email suggesting I reissue my certs utilizing the SHA256 signature hashing algorithm as they are trying to migrate people off of certs issued with SHA1.  I have created the cert (still using the standard RSA key) and it works fine for use on the IIS Webserver but it isn't yet compatible with Smartermail due to the fact that certs utilizing SHA256 utilize a different CSP (My guess anyway).  I imagine eventually smartertools will support these certs as they become more mainstream but I was wondering when that might occur?

27 Replies

Reply to Thread
2
I can't give you the specific answer to your individual problem, but I assure you SmarterMail supports SHA256 certificates. I currently use SHA256withRSA.  
 
Check your Bindings in SmarterMail to assure you have added the proper SSL/TLS ports and make sure you have put a copy of the certificate in a folder in your SmarterMail installation folder.
 
Thanks,
-Joe
1
James,
 
It sounds like you forgot to export your SSL Certificate to BASE 64 encoded X.509 (.cer) format in your Windows Server Certificate Manager. Webmail running under IIS can use the SSL Certificate straight from your Certificate Authority, but all other Mail Services require the SSL Certificate to be exported to a different format and saved to the location defined in Smartermail (SETTINGS > BINDINGS > PORTS).
 
 
As long as you are running Windows Server 2008 or higher you should be able to use SHA256 Certificates just fine (WinServer 2003 only supports SHA1).
0
Guys,
 
    Thank you for the suggestions.  Unfortunately those suggestions while valid don't solve my particular  issue.  While I haven't found the exact cause I did find that TLS version 1.0 is the only TLS version that will be negotiated.  I have SmarterMail deployed on a Win 2008 R2 server and while the IIS portion of the server suports TLS protocol version 1.2 negotiation the SmarterMail SMTP listener does not...  I am not sure if there is a config option to enable TLS 1.1 and 1.2 within SmarterMail but I am thinking the root cause is related...  I guess I should make a new suggestion to support the newer TLS versions as well...
0
It's related to OS, enable TLS versions at OS first
0
Download IIS Crypto: https://www.nartac.com/Products/IISCrypto/ Select the Best Practices button, then Apply, then reboot. Check your server at SSL Labs: https://www.ssllabs.com/ssltest/ -Joe
Thanks,
-Joe
0
Guys you must of missed the fact that I already have Schannel TLS 1.2 enabled and I have verified the fact by testing the IIS 7.5 webmail  interface.  This does not change the fact that TLS 1.2 is not enabled on the Smartermail SMTP listener...  The system supports it but SmarterMail does not and that is what I am trying to enable.
0
Joe are you sure? Can you give me the public dns name of your mail server listening with a SHA256 RSA cert installed.
0
check out webmail.omegamicro.net. The webserver webmail site has an ecc cert bound. I currently have an RSA SHA1 cert bound to the SMTP listener but want to upgrade it to a RSA SHA256 Cert.
0
Guys 
 
FYI
 
Very cool site to verify ciphers and TLS version.
Feel free to utilize a throw away SMTP email addy on it.  It takes awhile to get results but you can check back later and see the results and the evidence of the checking in your SMTP logs.
 
 
0
Yes, I'm sure. I don't post any of my server names here and there's no PM system so I can't send it to you that way. Have you run IIS Crypto and checked it at SSL Labs? Below is the appropriate line from the SSL Labs test on my server: Signature algorithm SHA256withRSA -Joe
Thanks,
-Joe
0
SSL Labs doesn't run SSL negotiation tests against SMTP port 25. I am talking the SMTP listener... The IIS portion is working fine according to SSL Labs. Check out my post below on www.ismymailsecure.com
0
webmail.omegamicro.net You really need to run IIS Crypto. You only have 4 Cipher Suites available and they're not compatible with many clients. Your preferred Cipher Suites are 128 bit. -Joe
Thanks,
-Joe
0
Joe the four cipher suites available were picked by me and the clients that use the site are compatible. If the site was for general public use with a variety of clients I would totally support a wider variety of cipher suites... I am just trying to utilize GCM with SHA256 over CBC with SHA1 where I can. 128 bit is fine for me :)
0
www.ismymailsecure.com connected to my server as: ECDHE-RSA-AES256-SHA AES256-SHA When I connect to my SmarterMail server on port 25 via my CentOS box using an OpenSSL query I get the following answer: a=rsa-sha256 When I send a test message to my Gmail account using Outlook 2010 I connect with the following cipher: version=TLS\Tlsv1 cipher=Aes256 bits=256 When I send the same test via SmarterMail webmail I connect with the following cipher: version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128 I don't know any other ways to test it. -Joe
Thanks,
-Joe
0
Joe in the detail report on www.ismymailsecure.com it should give you cert information and whether tls v1 v1.1 or v1.2 is supported. Above it looks like only tls v1
0
The detailed report only gives the Certificate Issuer, Certificate serial, Certificate Fingerprint, and Certificate Expires info. No version. As for the TLS info: TLS 1.2: YES TLS 1.1: YES TLS 1.0: YES SSLv3: NO SSLv2: NO -Joe
Thanks,
-Joe
0
Joe I know you don't like giving out details but what email domain are you checking... I am thinking your email MX records point to a third party SMTP SPAM service.
0
Here are the results for smartertools.com Certificate details: Certificate issuer: 07969287 Certificate serial: 2B3CF24B0E9212 Certificate fingerprint: C4:40:02:A6:A3:8D:E5:36:EC:22:6E:11:23:6F:59:F0:E5:F0:65:17 Certificate expires: August 17, 2015, 16:34:33 UTC Cipher details Strong ciphers: ECDHE-RSA-AES256-SHA AES256-SHA Medium ciphers: ECDHE-RSA-AES128-SHA AES128-SHA Weak ciphers: None NULL ciphers (no encryption): None Protocol support: TLS 1.2: NO TLS 1.1: NO TLS 1.0: YES SSLv3: NO SSLv2: NO - See more at: http://www.ismymailsecure.com/result/smartertools.com#sthash.wlbI3MUA.dpuf
0
No, I assure you I don't use any third party. I've been running mail servers since 1996. I don't think that site ismymailsecure.com is very reliable. I've checked some different servers they have cached and they have obviously incorrect information for some (like my own bank). They don't even show the correct Certificate Issuer for smartertools.com. I don't know who put that site up, but it's not accurate in several cases I've tested. I think using the OpenSSL script on a Linux box is much more accurate.
Thanks,
-Joe
0
Joe I hate to tell you but the cert info returned for smartermail.com is accurate but poorly formatted and truncated. 07969287 is godaddy... what domain was inaccurately reported on that site?
0
When I connect to mail.smartertools.com I connect via TLS 1 using AES_128_CBC SHA1 RSA. When I connect to my own SmarterMail server (from home) I connect TLS 1.2 using AES_256_CBC SHA256 ECDHE_RSA. I am using a test build of SmarterMail, but not for that reason... maybe that is included in my build... I don't know. I'm not going to list other domains... I only checked ones I could compare the known message header I received vs. what that site says. If you just use out of the box IIS and Microsoft's default authentication and key exchanges you will probably be limited to 128 SHA1 RSA and would still support SSL3. It takes a lot of registry hacks to secure a Microsoft server. I'm just a SmarterTools Product Expert... not part of their actual support team. Perhaps you need to submit a support ticket. Wish I could help more. -Joe
Thanks,
-Joe
0
Thanks for the help Joe!! Having a test build could definitely explain the TLS functionality difference. Since you have seen my Qualsys (webmail interface on the same server) test results you can tell I don't run my schannel config with the default settings :) I remember Smartermail was one of the first to support SPF processing , DKIM, Domainkeys, and DMARC and that is why I stick with them :)
0
I was able to get digicert to connect to SmarterMail. Here's what they report: Protocol Support TLS 1.1, TLS 1.0 SSL certificate Common Name = redacted Subject Alternative Names = redacted Issuer = Go Daddy Secure Certificate Authority - G2 Serial Number = 2B10952D105E2C SHA1 Thumbprint = 965919A116733D80BBE6FCDEAE062E2A467B9514 Key Length = 2048 bit Signature algorithm = SHA256 + RSA (excellent) Secure Renegotiation: Supported While testing other sites I noticed that gmail.com is still using a SHA1 Certificate.
Thanks,
-Joe
0
when you use digicert.com/help try webmail.omegamicro.net and webmail.omegamicro.net:25 . It will report up to tls v1.1 on the website and no tls version info on the smtp site (which means tls v1) ... I guess they haven't upgraded it to test for tls v1.2 compliance yet.... Slackers lol
0
I did the :25 on mine and bound SmarterMail to an unused IP Address so the webmail system was not availalble. Since I did it by IP Address and port number it gave Certificate Name errors but the connection information is accurate. The SMTP logs look strange, but it does show the connection (no ehlo, etc.). I have about 20 extra Godaddy SSL Certificates that I bought when they were on sale for $12 per year (and got 5 years on all of them). The time doesn't start running until you activate the Certificate so it wasn't a big deal to burn one. I just wanted to get to the bottom of it and I am 100% satisfied that the message headers ad third party reliable testing like OpenSSL and digicert agree with my findings. The SmarterMail webmail system does seem to be limited to SHA1 and 128 bit. I think Thunderbird is as well. Outloook 2010+ and a few are the only email clients supporting SHA256.
Thanks,
-Joe
0
Be sure to read the IIS Crypto notes, as not IIS Crypto does not display the current configuration of the cipher suites. And be sure to verify which client might connect to your server. If you remove weaker sipher suites, older clients might not be able to connect to your server anymore.
-----------------------------------------------
Thomas Stensitzki
MCSM Messaging, MCM: Exchange Server 2010
https://www.granikos.eu
0
That's true, but if you're selling email services you have an fiduciary duty to your customers. If you knowingly allow weaker, compromised cipher suites then you have violated that duty. We cannot be expected to block all vulnerabilities, but we do have to make a best effort to not allow known vulnerabilities.
Thanks,
-Joe

Reply to Thread