SmarterMail and POODLE?
Question asked by Michael Marquardt - October 22, 2014 at 12:12 PM
Unanswered
Will disabling the SSL 3.0 protocol affect client's access to the IMAP-SSL, POP3-SSL and SMTP-SSL ports?
 
Thanks!

7 Replies

Reply to Thread
0
John Marx Replied
It depends on what other protocols you have enabled. TLS should be the primary ones you're using. I know for our mail server we have SSL 2 and SSL 3 turned off. TLS 1.0, 1.1 and 1.2 are enabled. 1.0 is only enabled due to one client requesting. 1.1 we know we have to have on or gmail is unable to send mail.
0
Bruce Barnes Replied
Here are a couple of articles which might help you both understand, and resolve, the POODLE SSL v3 vulnerability:
 
The second item includes information on enabling a couple of other minor security protocols.
 
Note that all of these fixes will break the ability of Windows XP machines to connect via SSL.
 
To allay fears about this issue being SmarterTools specific, this affects ALL OPERATING systems and certificates.  These windows solutions are provided because SmarterTools products require the Windows operating system and IIS to run under SSL..
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
I have TLS 1.0 enabled (TLS 1.1 and 1.2 aren't supported by Windows 2008 - old OS, I know, but this is the last Pre-2008R2 server we have). TLS is also working on the standard IMAP/POP3 ports (143, 110) as well as the SMTP and Submission ports (25, 587, 8372 [a relic from a past age that people still use]).

I guess the question I'm asking is how will this affect access to the IMAP4-SSL (993), POP3-SSL (995), and SMTP-SSL (465)?

I have no problem cutting off XP and prior users.
0
Yeah we have TLS enabled.  Some of our users still use the SSL ports though (SMTP 465, POP3 995, and IMAP4 993).  I guess I just need to know if disabling SSL 3.0 entirely will cause these protocols to quit functioning (or, more accurately, how many support calls I'm going to get WHEN we disable SSL 3.0 entirely)
0
Steve Reid Replied
Disabling SSL 3.0 should have zero effect to your customers. All the ports remain the same and encryption still works
0
Bruce Barnes Replied
You must disable SSL 3.0 to complete the process.
 
FYI, as of 1 December, 2014, Microsoft will be disabling all SSL 3.0 support on IIS and all Microsoft products, hosted and otherwise.
 
Here's a TechNet link on the process of disabling ithttps://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
 
You can also see the appropriate KB on my portal, download the associate TXT file, rename it as a REG file and import into the registry to clean it all up, enable new protocols on Server 2003, Server 2008, and Server 2012.
 
 
Remember to REBOOT your server to allow the new registry settings to take effect.
 
Once you've done that, then test your new settings here:  https://www.ssllabs.com/ssltest/index.html
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Colin M Replied
Just because TLS 1.1 and/or 1.2 are working for IIS it does not mean SmarterMail is using them and in fact until SmarterMail supports .NET 4.5 it cannot support TLS 1.1 and 1.2. This can be verified using a command line like: openssl s_client -starttls imap -tls1_1 -crlf -connect mail.example.com:143

Reply to Thread