Back to Community Threads
2
SmarterMail and POODLE?
Question asked by Michael Marquardt - 10/22/2014 at 12:12 PM
Unanswered
Will disabling the SSL 3.0 protocol affect client's access to the IMAP-SSL, POP3-SSL and SMTP-SSL ports?
 
Thanks!

7 Replies

Reply to Thread
0
John Marx Replied
10/22/2014 at 2:04 PM
It depends on what other protocols you have enabled. TLS should be the primary ones you're using. I know for our mail server we have SSL 2 and SSL 3 turned off. TLS 1.0, 1.1 and 1.2 are enabled. 1.0 is only enabled due to one client requesting. 1.1 we know we have to have on or gmail is unable to send mail.
0
Bruce Barnes Replied
10/23/2014 at 7:57 AM
Here are a couple of articles which might help you both understand, and resolve, the POODLE SSL v3 vulnerability:
 
The second item includes information on enabling a couple of other minor security protocols.
 
Note that all of these fixes will break the ability of Windows XP machines to connect via SSL.
 
To allay fears about this issue being SmarterTools specific, this affects ALL OPERATING systems and certificates.  These windows solutions are provided because SmarterTools products require the Windows operating system and IIS to run under SSL..
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Michael Marquardt Replied
10/23/2014 at 10:54 AM
I have TLS 1.0 enabled (TLS 1.1 and 1.2 aren't supported by Windows 2008 - old OS, I know, but this is the last Pre-2008R2 server we have). TLS is also working on the standard IMAP/POP3 ports (143, 110) as well as the SMTP and Submission ports (25, 587, 8372 [a relic from a past age that people still use]).

I guess the question I'm asking is how will this affect access to the IMAP4-SSL (993), POP3-SSL (995), and SMTP-SSL (465)?

I have no problem cutting off XP and prior users.
0
Michael Marquardt Replied
11/5/2014 at 9:54 AM
Yeah we have TLS enabled.  Some of our users still use the SSL ports though (SMTP 465, POP3 995, and IMAP4 993).  I guess I just need to know if disabling SSL 3.0 entirely will cause these protocols to quit functioning (or, more accurately, how many support calls I'm going to get WHEN we disable SSL 3.0 entirely)
0
Steve Reid Replied
11/5/2014 at 9:59 AM
Disabling SSL 3.0 should have zero effect to your customers. All the ports remain the same and encryption still works
0
Bruce Barnes Replied
11/5/2014 at 10:00 AM
You must disable SSL 3.0 to complete the process.
 
FYI, as of 1 December, 2014, Microsoft will be disabling all SSL 3.0 support on IIS and all Microsoft products, hosted and otherwise.
 
Here's a TechNet link on the process of disabling ithttps://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
 
You can also see the appropriate KB on my portal, download the associate TXT file, rename it as a REG file and import into the registry to clean it all up, enable new protocols on Server 2003, Server 2008, and Server 2012.
 
 
Remember to REBOOT your server to allow the new registry settings to take effect.
 
Once you've done that, then test your new settings here:  https://www.ssllabs.com/ssltest/index.html
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Colin M Replied
1/30/2015 at 2:01 PM
Just because TLS 1.1 and/or 1.2 are working for IIS it does not mean SmarterMail is using them and in fact until SmarterMail supports .NET 4.5 it cannot support TLS 1.1 and 1.2. This can be verified using a command line like: openssl s_client -starttls imap -tls1_1 -crlf -connect mail.example.com:143
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Configure POP for iPhone, iPad or iPod TouchSmarterMail > Desktop and Mobile Synchronization
Configure Outlook 2007 IMAP or POP AccountSmarterMail > Desktop and Mobile Synchronization
Configure Outlook 2010 IMAP or POP AccountSmarterMail > Desktop and Mobile Synchronization
Automatic SSL Certificates on a New SmarterMail ServerSmarterMail > Server Configuration and Management
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration