There are a few important security flaws with my SmarterMail installation. Perhaps I have something misconfigured in which case, please straighten me out. Otherwise I think these are bugs that need to be addressed ASAP.
First, SSLv3 is simply *not secure* which is very well established. I don't think SSLv3 should be removed from SmarterMail since some legacy installations might require it, but it should definitely not be depended upon as a solution.
Second, TLSv1 is only marginally better than SSLv3 and currently it appears that SmarterMail only uses TLSv1. It should be updated to support TLSv1.1 and TLSv1.2.
Last but not least, when adding a port via SmarterMail config and choosing "TLS" for the "Encryption" option, that port is actually enabled for both TLS and *unencrypted* connections! I was quite astonished when I found I could use telnet to connect and authenticate on my server.
What all of the above means is that it appears there is no way to configure the server such that:
* SSLv3 is disabled for all protocols (except POP since Outlook apparently doesn't support POP over TLS - and is the only client that I know of that doesn't)
* TLS is enabled for all protocols (and ideally TLS 1.1 and 1.2)
* Unencrypted connections are completely disabled for all protocols (except for port 25 for server-to-server communication)
* Authentication over the port 25 unencrypted connection is disabled (to prevent users from unknowingly using an insecure connection)
Notes about my installation:
- Windows 2008 R2 with all updates current
- SmarterMail 12.3
- IIS 7
- TLSv1.1 and TLSv1.2 both work on IIS (enabled using Nartac IIS Crypto)
- TLSv1.1 and TLSv1.2 DO NOT work on SmarterMail ports (pop, imap, smtp)
- SmarterMail IP Binding only binds to ports that are configured for "TLS"
I've tested all of the above stated facts using telnet for unencrypted and the openssl command line for encrypted. E.g.:
These tests FAIL:
> openssl s_client -starttls imap -tls1_1 -crlf -connect mail.example.com:143
> openssl s_client -starttls imap -tls1_2 -crlf -connect mail.example.com:143
These tests SUCCEED:
> openssl s_client -starttls imap -tls1 -crlf -connect mail.example.com:143
> telnet mail.example.com 143
> openssl s_client -tls1_1 -crlf -connect mail.example.com:443
> openssl s_client -tls1_2 -crlf -connect mail.example.com:443
EDIT: So these tests prove that enabling TLSv1.2 for IIS (https) does not also enable it for pop/imap/smtp. Also, enabling TLS in SmarterMail enables unencrypted on the same port. I understand the connection has to start out unencrypted for the STARTTLS command, but it should not allow AUTH LOGIN on an unencrypted connection that is configured to be "TLS".
At this point the most secure way to configure the server appears to be to not use TLS at all and only support SSL which means that the completely broken 18 year old protocol is the best that SmarterMail can really support and enforce at the same time!
Am I wrong?