SmarterMail not secure
Idea shared by Colin M - January 29, 2015 at 9:45 AM
Under Consideration
There are a few important security flaws with my SmarterMail installation. Perhaps I have something misconfigured in which case, please straighten me out. Otherwise I think these are bugs that need to be addressed ASAP.
 
First, SSLv3 is simply *not secure* which is very well established. I don't think SSLv3 should be removed from SmarterMail since some legacy installations might require it, but it should definitely not be depended upon as a solution.
 
Second, TLSv1 is only marginally better than SSLv3 and currently it appears that SmarterMail only uses TLSv1. It should be updated to support TLSv1.1 and TLSv1.2.
 
Last but not least, when adding a port via SmarterMail config and choosing "TLS" for the "Encryption" option, that port is actually enabled for both TLS and *unencrypted* connections! I was quite astonished when I found I could use telnet to connect and authenticate on my server.
 
What all of the above means is that it appears there is no way to configure the server such that:
 
* SSLv3 is disabled for all protocols (except POP since Outlook apparently doesn't support POP over TLS - and is the only client that I know of that doesn't)
* TLS is enabled for all protocols (and ideally TLS 1.1 and 1.2)
* Unencrypted connections are completely disabled for all protocols (except for port 25 for server-to-server communication)
* Authentication over the port 25 unencrypted connection is disabled (to prevent users from unknowingly using an insecure connection)
 
Notes about my installation:
- Windows 2008 R2 with all updates current
- SmarterMail 12.3
- IIS 7
- TLSv1.1 and TLSv1.2 both work on IIS (enabled using Nartac IIS Crypto)
- TLSv1.1 and TLSv1.2 DO NOT work on SmarterMail ports (pop, imap, smtp)
- SmarterMail IP Binding only binds to ports that are configured for "TLS"
 
I've tested all of the above stated facts using telnet for unencrypted and the openssl command line for encrypted. E.g.:
 
These tests FAIL:
 
> openssl s_client -starttls imap -tls1_1 -crlf -connect mail.example.com:143
> openssl s_client -starttls imap -tls1_2 -crlf -connect mail.example.com:143
 
These tests SUCCEED:
 
> openssl s_client -starttls imap -tls1 -crlf -connect mail.example.com:143
> telnet mail.example.com 143
> openssl s_client -tls1_1 -crlf -connect mail.example.com:443
> openssl s_client -tls1_2 -crlf -connect mail.example.com:443
 
EDIT: So these tests prove that enabling TLSv1.2 for IIS (https) does not also enable it for pop/imap/smtp. Also, enabling TLS in SmarterMail enables unencrypted on the same port. I understand the connection has to start out unencrypted for the STARTTLS command, but it should not allow AUTH LOGIN on an unencrypted connection that is configured to be "TLS".
 
At this point the most secure way to configure the server appears to be to not use TLS at all and only support SSL which means that the completely broken 18 year old protocol is the best that SmarterMail can really support and enforce at the same time!
 
Am I wrong?

29 Replies

Reply to Thread
0
The following is a useful tool, it references IIS but applies to Schannel so should cover anything that using Schannel to implement SSL/TLS which is probably most software that runs under windows. Using it you can control which revisions of SSL/TLS are available to clients:

https://www.nartac.com/Products/IISCrypto/

With regards to TLS 1.2 I believe the issue is you are running Windows 2008 which does not support TLS 1.2. Upgrade to Windows 2008 R2 or later.

http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx

0
@Nathan Y I am already running 2008 R2 and did use the IIS Crypto tool to enable TLS 1.2. As I said, "TLSv1.1 and TLSv1.2 both work on IIS", but perhaps I should have clarified that they work on https. However, they definitely do not work on pop, imap and smtp which leads me to believe this is an issue with SmarterMail and not Windows.
0
Even SmarterTools own server does not do TLS 1.2. Does anyone have TLS 1.2 working for pop, imap or smtp? Works: > openssl s_client -starttls smtp -tls1 -crlf -connect mail.smartertools.com:25 Does not work: > openssl s_client -starttls smtp -tls1_2 -crlf -connect mail.smartertools.com:25
0
You do appear to be correct in that TLS support is for v1.0, not 1.1 or 1.2 for anything other than webmail via IIS. The same test against an Exim server connects correctly so your openssl s_client test appears to confirm the lack of TLS 1.1 or 1.2 support.

Hopefully someone from Smartertools will confirm.
0
Colin M and Nathan Y, thank you for bringing this topic up.  You are correct in that SM currently only supports TLS v1.0. Currently, SM is built on the .NET Framework 4.0 which only supports TLS v1.0.  We are planning on moving onto .NET Framework 4.5 with SM 14.  The primary reason that we haven't already made the transition is that fact that Windows Server 2003 does not support that .NET Framework.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Robert, I think all of the recent vulnerabilities found with SSLv3 and TLSv1 justify the move before Windows 2003 EOL. Also, please address the issue with TLS ports also supporting unencrypted traffic. Basically, any unencrypted communication other than STARTTLS on the port should be blocked, no?
0
Colin, can you please explain in more detail what you want? Any initial connection to a port will have unencrypted traffic until the STARTTLS is issued. Are you looking for an option to require all connections to use TLS?
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
If a port is designated as "TLS" then it currently really means "TLS and Unencrypted" so for example it could be renamed as such and then a new option "TLS Only" could be added. The difference would be that the "TLS Only" would only allow the STARTTLS command on an unencrypted connection. This is how smtp.gmail.com works, for example: http://screencast.com/t/PygoHBNFD
0
Colin,
 
Are you looking for a TLS Only only for port 587?  I can definitely see the validity of this request.  It would have to accept more than just he STARTTLS command though, for example, EHLO, NOOP, HELP, and QUIT should be acceptable unencrypted commands.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
I think the TLS Only option should be valid for any port. That is, I want to prevent users from authenticating in plain text over pop, imap, smtp, xmpp. ldap, etc. You are right in that other innocuous commands besides STARTTLS will need to be supported, but the general idea is that the connection will not be functional without STARTTLS because otherwise there is no way to prevent users from configuring their clients improperly.
1
Until the E-Mail industry mandates TLS for inter-MX server traffic, via an IETF mandate, you cannot enforce TLS on port 25. To do so, will block a LOT of legitimate e-mail.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
You didn't read the thread thoroughly. I said: * Unencrypted connections are completely disabled for all protocols (except for port 25 for server-to-server communication) * Authentication over the port 25 unencrypted connection is disabled (to prevent users from unknowingly using an insecure connection)
0
Colin, I am changing this thread from a problem to an idea and marking it as Under Consideration to facilitate development tracking.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Thanks, Robert. If the idea gets accepted for a future version will this thread be updated?
0
Yes, sir.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Any update on this issue? Will this be included in SM14? Sometimes almost 50% of connected users are using unencrypted connections and there is nothing I can do to stop it except disable TLS and go back to SSL which is silly. This is SmarterMail's single biggest security problem by far.
0
Matt Petty Replied
Employee Post
SmarterMail 14 is built on .Net 4.5 which includes support for TLS 1.1 & 1.2.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt, you didn't read the thread.. The big problem here is that "TLS" ports are actually "TLS *and unencrypted*" and with a large user base it is impossible to guarantee that all users are always configured to use TLS unless you can disable the unencrypted mode. In SmarterMail you cannot currently use TLS and simultaneously prevent unencrypted connection. SmarterMail is the only mail system I know of that has this issue. IT IS A BUG. The fix is easy, just issue an error if any sensitive commands are used before STARTTLS.
0
For example, Postfix has supported smtpd_tls_auth_only since 2.2 (circa 2004) and Courier has supported IMAP_TLS_REQUIRED since around 2002!
0
Matt Petty Replied
Employee Post
Ahh Gotcha, sorry.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Robert/Matt, also the Autodiscover feature should probably support specifying TLS specifically. So will this fix for disallowing unencrypted connections make it into SM 13 or 14 any time soon?
5
This thread needs a bump.  It's now 2017, on SM 15, and this feature is still "under consideration". 
 
I agree with Collin M- this is a very important feature for an increasing number of business segments.  It does not seem that implementing a solution is very complex and clearly competitors of SM have supported this for a long time.  If SM is truly marketed as a commercial, enterprise-ready alternative to systems like Exchange, etc, the ability for mail administrators to ensure security, both between client and SM, and, where necessary, between SM and another MX host is critical these days.
 
I would argue for the additional ability to specify a list of recipient domains for which TLS is required for sending mail.  Other enterprise mail servers accommodate this; the value being it ensures that traffic to those certain domains is always sent securely, even if other domains not on the list can't/don't use TLS when accepting mail from SM.  What we're saying is, for those domains on this Force-TLS list, it's not good enough to "prefer" TLS when contacting another MX to deliver the mail; it's TLS or fail the outgoing message.  Domains not on that list can "prefer" TLS or still send plaintext as happens today. 
 
These features would help us be certain that messages to specific domains are delivered securely, which is a requirement for many in my business segment.  I like SM, but unfortunately now I'm searching for a replacement that has this capability or I'm losing my business to others who use your competitors' products.  Please step up!!
4
Bum-pity Bump - Yes - I'm out here tonight trying to figure out how to FORCE TLS on 587.  If users want to go unencrypted - go ahead and use port 25 - see if I care, but if you are authenticating using 587, I want to force you to use and encrypted connection.  
 
Even SMTP service on Windows Server 2003 in the IIS 6 SMTP manager has a check box "Require TLS encryption" -
4
Any updates?
0
Don't hold your breath.. It seems ST has decided to abandon their core competency (email) and instead chase the latest cool stuff like full-screen wallpaper backgrounds and compete with the likes of Slack, HipChat and *free* software like Mattermost. Meanwhile we don't have forced STARTTLS, 2FA, advanced routing, better EAS features, etc.. smh
0
I would love to hear about any alternatives to Smartermail that implements the latest security features along with a good anti-spam engine. I would buy it today. SmarterTools has basically abandoned SM for new features. Items I have requested from 2-3 years ago have never been done. That's why I don't have a support contract anymore. Looking for a good alternative. Anyone?
0
I've also dropped my service contract. I've been looking at going back to Imail.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
I am now evaluating MailEnable. Seems to have all the missing features I requested from SM.
1
Sorry for bumping this topic but the last reply from SM was from 2015. In the mean time, is there anything in the pipeline for disabling the insecure SSL protocol? We are also getting a lot of questions with pen tests where they see our server accepts SSLv3 connections which are totally unsecure.

Reply to Thread