How to enable TLS for Autodiscover
Question asked by Stephen Roesch - November 17, 2014 at 1:23 PM
Unanswered
Hello, 
 
I've recently added the correct DNS entries to enable autodiscover on Outlook, however, when I add an account, it's being added with SSL encryption instead of TLS encryption. Is there any way to force the highest level of encryption available for the client? (Yes, TLS is working when I manually set it).
 
Thanks!

17 Replies

Reply to Thread
0
Joe Wolf Replied
First off you shouldn't allow ANY SSL connections, only TLS. First test your server at https://www.ssllabs.com/ssltest/ and you can see what protocols and cipher suites your server is allowing. The default cipher suites on a Windows server a pretty BAD. Use a tool like IIS Crypto https://www.nartac.com/Products/IISCrypto/ and use the Best Practices button to secure your server (you will have to reboot). After doing this any SSL request will be forced to TLS.

-Joe
Thanks,
-Joe
0
If I disable SSL, will it break POP access on Outlook 2010. (I don't think 2010 supports tls over pop)
0
Joe Wolf Replied
That would be news to me since I use it all the time. Every SSL protocol is now considered insecure and should not be used. You'd be surprised how many servers still support SSL 2.0 and they wonder why they get hacked. Poodle broke SSL 3.0.

Following my instructions above will simply force server communications via TLS and secure your server. The only Windows user issue is that if a user is using Windows XP with Internet Explorer 6 they couldn't connect to the webmail via https:// But this is really not an issue... I run Web Log Expert on my IIS SmarterMail logs and I've had 11 hits from Internet Explorer 6 in the last 180 days. Anyone running that combo has not updated anything on their system for years!
Thanks,
-Joe
0
I had actually already been planning on running IISCrypto. I did run the best practices selection, however, Outlook's autodiscover still returns SSL instead of TLS.
0
Joe,
 
I think things got things a bit mixed up.  Whether you use implicit or explicit encryption (ie SSL/TLS in Outlook) has nothing to do with the encryption protocol. So you can negotiate TLS1.2 with port 993 for implicit (SSL on outlook) still, as well as use StartTLS on port 143 for explicit (TLS on Outlook).  As far as AutoDiscover, you would probably have to make your own XML instead of using SmarterMail's as that just has implicit on the XML return.
Example:
<Protocol>
<Type>IMAP</Type>
<Server>server.domain.com</Server>
<Port>993</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
<DomainName>domain.com</DomainName>
<DomainRequired>on</DomainRequired>
<LoginName>user@domain.com</LoginName>
<SPA>off</SPA>
</Protocol>
0
Joe Wolf Replied
Outlook may be saying that but if you used the most recent IIS Crypto with Best Practices then your server will not accept a SSL connection. During the handshake the connection is stepped up to TLS regardless of what Outlook shows you.

If you're just wanting Autodiscover to show TLS instead of SSL I'm not sure how to do that. You could try removing all SSL Bindings from SmarterMail and leave the TLS Bindings in place.
Thanks,
-Joe
0
Joe Wolf Replied
I agree it would have to be generated by the SmarterMail XML, but again the end result is no difference. I can set Outlook to use SSL and it just changes to TLS on the handshake.

Since SSL is now dead I'd suggest to SmarterTools to change the XML.

I just tested removing IMAP SSL on Port 993 from the Bindings and SmarterTools still reports:

<Protocol>
<Type>IMAP</Type>
<Server>smtp.redacted.com</Server>
<Port>993</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>on</SSL>
<AuthRequired>on</AuthRequired>
<DomainName>redacted.com</DomainName>
<DomainRequired>on</DomainRequired>
<LoginName>redacted@redacted.com</LoginName>
<SPA>off</SPA>
</Protocol>

I'm no expert on Autodiscover, but since SSL is dead it should have reported:
<Port>143</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<TLS>on</TLS>

So I think this is a bug in SmarterMail.

-Joe
Thanks,
-Joe
0
Joe,
Looking at the schema there is no <TLS> option, it will just auto select between implicit/explicit from the <SSL> option.
Link: http://technet.microsoft.com/en-us/library/cc511507%28v=office.14%29.aspx

If you don't have a port binding in the settings for 993 and it's displaying that available, I would definitely call that a bug.

As far as implicit transactions going away, I haven't see anything from MailOPs or any providers. Most usually recommend implicit as it will bypass filters such as an ASA/PIX doing smtp fixup from disabling encryption all together.
0
Joe Wolf Replied
I have a port binding on 993 for SSL, but since all SSL versions are blocked on my servers it seems pointless. I'll keep it there for Outlook, but Outlook is really connecting via TLS.

I was looking at the mailconfig.xml file and noticed the following:

<IPBindingPort>
<UID>4978dcd5538c45redactedc8de3952</UID>
<Name>IMAP SSL</Name>
<Port>993</Port>
<Description>IMAP SSL Port smtp.redacted.com</Description>
<Type>IMAP</Type>
<isTLS>False</isTLS>
<isSSL>True</isSSL>
<CertificatePath>C:\Program Files (x86)\SmarterTools\SmarterMail\Certificates\smtp.redacted.com.crt</CertificatePath>
</IPBindingPort>

I'm not going to be the first to try it, but it would be interesting to see what would happen if the two lines:
<isTLS>False</isTLS>
<isSSL>True</isSSL>

were reversed to:
<isTLS>True</isTLS>
<isSSL>False</isSSL>

That would seem to force TLS over Port 993 and report it in the autodiscover.xml that SmarterMail advertises.

The bottom line is that since Poodle we shouldn't allow any SSL connections to the server.

-Joe
Thanks,
-Joe
0
I still don't think you understand that implicit doesn't mean SSL:
IE: openssl s_client -connect server.domain.com:465
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 113F0000F562D67796CE2AB7036A520A668417F0C18016B989AB45D7B7D86E72
Session-ID-ctx:
Master-Key: 062442D087154CD02903E29663A0E6E410240700E7991D51C8E067CFD49D79B99C61D1D63B3B13D35516435509BE31DD
Key-Arg : None
Start Time: 1416444536
Timeout : 300 (sec)
Verify return code: 0 (ok)
Thus not vulnerable to Poodle, BEAST, CRIME, et al attack of the day on SSL.
0
Sorry to harp on this but you got me riled. Using TLS on Outlook could still be vulnerable to Poodle if you probably didn't disable SSL3 in regedit. To test:
openssl s_client -connect server.domain.com:587 -starttls smtp -crlf
PS. add -crlf if you actually want to type something to windows server on the previous comment.
0
There is a secret feature of the autodiscover.xml file.  Remove <SSL>on</SSL> and replace it with <Encryption>TLS</Encryption>.  Works fine, at least for SMTP in Outlook 2010. I had tested it and is working for me
0
Joe Wolf Replied
I'm not sure where you're making these changes. You can't edit the autodiscover.xml file, but you can determine what it reports by editing the mailconfig.xml file. I find no SSL entry as you describe in the mailconfig.xml file. So where are you making these changes? What version of SM?
Thanks,
-Joe
0
michael~ Replied
Has anyone figured out a way to do this yet? Ive removed all SSL from my server, so when I check SSL in the Protocol Settings -> Autodiscovery section, im unable to login from Outlook until I manually change that drop-down in the Advanced options tab. I see the SMTPSSL tag in the autodiscovery section in the mailConfig.xml file, but I cant figure out a TLS-related tag. Anyone? Thoughts? Thanks.
0
Joe Wolf Replied
It's going to take some help from SmarterTools to make Autodiscover work properly. Right now my suggestion is to change your mailconfig.xml autodiscover ports back to SMTP 587, IMAP 143, POP 110, and all the SSL to false. This will at least let Outlook Autodiscover work, but not SSL or TLS. I've tried adding the TLS true lines to the mailconfig.xml but SmarterMail ignores this variable. Since SSL is gone we need Autoconfigure TLS fast.
Thanks,
-Joe
0
michael~ Replied
Autodiscover works with the TLS ports (587, 993, 995), just not with the SSL checkbox enabled. It seems the best route for the time being is to enable TLS on 25, 110, 143, set autodiscover to use those ports, but without SSL checked, and instruct users to manually set the Outlook drop-down to TLS after autodiscovering.. I say to use 25,110,143 because Outlook will change to those port numbers when you change the drop-down, and users get confused easily... ;)
0
Joe Wolf Replied
I'd stick with 587, 110, and 143 since many ISP's block port 25. Same result, fewer problems. This could be solved if SmarterMail would announce the TLS true in the autodiscover.xml but it won't.
Thanks,
-Joe

Reply to Thread