3
Getting TLS1.2 to work!!
Problem reported by Tarkan - 7/15/2015 at 5:16 PM
Resolved
Is everyone using SM14 getting TLS1.2 working on the SMTP/IMAP ports?
 
I have setup a test environment with the latest version of SM14 and Server 2012R2, and just cannot get TLS1.1 or TLS1.2 to work - TLS1.0 is working fine.
 
Certificate install looks fine - TLS1.0 is working ok but I get an error if I force TLS1.1 or TLS1.2.
 
Sending an openssl s_client command to the test machine, results in this.
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 2E340000A84BDE1FB17913BB1923FCD4712D4273DCD6500BECCA7

    Session-ID-ctx:
    Master-Key: A66A7A402E5429810ABF115D312214A346FD7C4596B5463CF6315
2F8D9F6E484CB081EE55B2E9904F0EE2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437004050
    Timeout   : 300 (sec)
If I rerun the command this time forcing TLS1.1 or TLS1.2 I get the following.
 
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437004202
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
 
I have tried everything - replaced the certificates several times, used different 3rd party certificates, self signed certificates, etc always the same result.
 
Any pointers on where I should look or investigate.
 
Thanks.
 
 

10 Replies

Reply to Thread
0
Bruce Barnes Replied
You need to enable the ciphers and encryption.
 
 
I have a couple of .REG files which can be imported to the registry.
 
Once imported, and the server re-booted, everything should start working.
 
Note that ALL SSL is now depreciated.  The files I will send you will have SSL 1.0, SSL 2.0, and SSL 3.0 disabled.
 
Your Windows Server 2012 will receive an "A" rating at https://www.ssllabs.com/ssltest/index.html once you follow the instructions at the link above.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Tarkan Replied
Hi Bruce,
 
Thanks for the response.  I normally use IISCrypto to setup the correct ciphers.
 
The IIS hosted webmail is working with TLS 1.2 ok no problem using the same certificate as installed on the SM14 ports (on the same machine of course).
 
Connection: TLS 1.2, AES with 256 bit encryption (High); ECDH_P256 with 256 bit exchange
 
I am really scratching my head with this one - I will try your REG files see if they make any difference.
 
0
Tarkan Replied
Hi Bruce,

I tried your REG and same thing.

Out of interest I just ran this against your securemail.chicagonettech.com server.

openssl s_client -starttls smtp -connect securemail.chicagonettech.com:25 -tls1_2

and guess what your machine is not accepting a TLS1.2 connection either - I have sent you an email so I can look at my logs and see if my email was recieved using TLSv1.2 or not.
0
Bruce Barnes Replied
If you want to support Android 4.4 and below, you cannot disable TLS 1.0, because disabling TLS 1.0 disables it on ALL ports, not just 25.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
I'll take the "A" rating from SSL labs as it stands.

We're monitoring the development of TLS 1.3, and will watch for other options and developments, implimenting as appropriate, so we can support as many Android clients as possible., but I don't see TLS 1.3 as either a final solution, or being approved, for at least another 18 months.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
1
Matt Petty Replied
Employee Post
Tarkan, we have fixed this in our next minor build.
 
SmarterMail will now accept TLS 1.2 connections and use TLS 1.2 connections for SMTP Out as well.

If you wish to test this out please contact sales and ask for the custom build for TLS 1.2.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Tarkan Replied
Hi Matt,

Many thanks for the update - so I was not going mad and it was an issue within Smartermail.

Couple of my clients were seeking confirmation that SM14 would use TLSv1.2 to send/receive email and not being able to demonstrate or confirm was an issue!!
2
Tarkan Replied
Hi Matt,
 
Just tested the custom build - straight upgrade install with no other changes made.
 
TLSv1.2 handshake
SSL handshake has read 2076 bytes and written 602 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: E7450000627BA6CD2731234C21C6A566FEBFEBAE595282C04597

    Session-ID-ctx:
    Master-Key: BC629907207A7C6B7BF423A9EA51370C8080751863A7FB9461E1
2414EF2DD8D08355E5AE7C1A878CD08C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437573067
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
TLSv1.1 handshake
SSL handshake has read 2042 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 6C3B0000C502334FF99F21388C41E4EBB52150DEDECB9971E449511

    Session-ID-ctx:
    Master-Key: 58EE38640C97C0F469BEADF3D0E64F3FC83DD37C7116A4B69F6B45E
A1130ECE3EEA134CC6176D4B485BFC74
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1437573279
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
Finally email sent between my postfix gateway to the test SM14 custom build machine.
Jul 22 14:51:07 gateway-de postfix/smtp[12777]: Verified TLS connection established to smtp.somewhere.net[x.x.x.x]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Sent from SM14 custom build out to my gateway machine.
Jul 22 15:10:27 gateway-de postfix/smtpd[12900]: Anonymous TLS connection established from smtp.somewhere.net[x.x.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
 
 
Many thanks for fixing this bug!!
0
Bruce Barnes Replied
Tarkan: Can you please contact me off-list - via e-mail, at support@chicagonettech.com. I have a couple of questions for you.

Thanks
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
2
Bruce Barnes Replied
Matt, et al;
 
I've been working with Tarkan, and several others, on the issue of TLS 1.2, and installed the special TLS compile onto both my SmarterMail server, and the SmarterMail server of an insurance client last evening.
 
All tests indicate that TLS 1.2 is functioning properly with both SmarterMail servers which are running the TLS 1.2 compile and non-SmarterMail servers which support TLS 1.2.
 
Here are a few examples:
 
Test #1 - GMAIL.COM to CHICAGONETTECH.COM
 
Received: from mail-la0-f52.google.com (mail-la0-f52.google.com [209.85.215.52]) by securemail.chicagonettech.com with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Thu, 23 Jul 2015 14:49:13 -0500
 
 
Test #2 - SmarterMail with special build to CHICAGONETTECH.COM
 
Received: from mail.insuremart.net ( mail.insuremart.net [98.180.231.10]) by securemail.chicagonettech.com with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Wed, 22 Jul 2015 22:09:14 -0500
 
 
Test #3 - Non-SmarterMail [IETF.ORG] to CHICAGONETTECH.COM
 
Received: from mail.ietf.org (mail.ietf.org [4.31.198.44]) by securemail.chicagonettech.com with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Thu, 23 Jul 2015 06:10:51 -0500
 
 
Test #4 - Non-SmarterMail [GODADDY.COM - NON SECURE SERVER - through forwarder, as is now required by GoDaddy virtual servers running MX] to CHICAGONETTECH.COM
 
Received: from p3plsmtps2ded04.prod.phx3.secureserver.net (p3plsmtps2ded04.prod.phx3.secureserver.net [208.109.80.198]) by securemail.chicagonettech.com with SMTP;
   Thu, 23 Jul 2015 10:15:40 -0500
NO TLS WHATSOEVER
 
These same tests were conducted with many other servers, both TLS 1.2 and non-TLS 1.2, and all functioned without issues.
 
Thanks for getting the TLS 1.2 code into SmarterMail.  This is an important move forward in the never ending quest to provide the best possible security for all of our hosted customers and will help in both maintaining existing clients and bringing new customers to our base.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread