1
TLS Implementation question
Question asked by Kevin McNally - 3/1/2016 at 5:31 AM
Unanswered
This may seem like basic stuff, but I am trying to implement TLS and disable SSL 3 with as little impact as possible to our users.
 
Fortunately I have found alot of the info I need in the forum (Thanks to Bruce), but I have a couple questions:
 
1. If we disable SSL 3, will this shut off access to our secure webmail https://samplemailserver.com?
2. If we disable SSL 3, will that stop any email clients connecting over SSL to stop working?
 
Thank you for your advise.
 
Kevin

4 Replies

Reply to Thread
0
Scarab Replied
Disabling SSL3 will affect users that are using outdated Operating Systems, Email Clients, or Web Browsers. WinXP & Outlook 2003 or before, and any Apple product prior to April 2014 would no longer be able to make secure connections to SmarterMail, either through webmail or through TLS Ports. They can still make insecure connections over Port 80 for webmail and Ports 110, 143, and 25/587 for POP/IMAP/SMTP just fine.
 
If you disable SSL3 any email clients that were previously configured to use Ports 993, 995, and 465 for POP/IMAP/SMTP will no longer work even if they are using a current OS or Email Client that supports TLS, although you *COULD* bind TLS to those Ports in SmarterMail settings to avoid the Tech Support headache of walking existing customers through changing their Email Client settings to Ports 110, 143, and 25/587.

Although Bruce may beg to differ, disabling SSL3 isn't as important as disabling outdated Cipher Suites (RC4 specifically, leaving AES as the last "secure" Cipher Suite under SSL). SSL3 is tombstoned to go away entirely by Q2 2017, so you would want to migrate eventually, preferably sooner rather than later, but if you have a large percentage of your client base that is still using MacOS X 10.5.7 "Leopard" or iOS 4 or earlier, or Android 3, or WinXP you may want to still offer SSL3 until you can notify clients encouraging them to upgrade their devices and provide them with a cut-off date.
0
Scarab Replied
;tldr version:

If you don't have to maintain HIPPA, NIST, or PCI-DSS v3.1 Compliance on the server you are running SmarterMail on you don't have to disable SSL3 yet (it is still "reasonably" secure and better than no security), but you will in a little over a year.
0
Kevin McNally Replied
Thank you, for the detailed response. If I am to leave SSL 3 enabled for the time being can I also enable TLS on the standard ports?
0
Scarab Replied
Yes, you would create a separate Binding for your standard ports 25, 110, 143, and 587 (You can name them SMTP-TLS, POP-TLS, IMAP-TLS, and SUBMISSION-TLS for example). So in the end you will have two Bindings for each standard port, one without TLS and one with TLS, but the ports will be the same.

Reply to Thread