6
TLSv1.3, HTTP/3 & QUIC for SmarterMail webmail
Question asked by Scarab - 12/13/2021 at 12:22 PM
Unanswered
In case anyone else was curious...you CAN run SmarterMail Enterprise webmail under TLSv1.3 with HTTP/3 using QUIC.

Requirements are Windows Server 2022 and the Enterprise version of SmarterMail. Please note that none of these are enabled by default in current builds of Windows Server 2022. Here are the steps that I took to get it to work:

Enable TLSv1.3
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f
Manually add the following Registry Keys
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
Enable HTTP/2 ALTSVC frames
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableAltSvc /t REG_DWORD /d 1 /f
Enable TLS_CHACHA20_POLY1305_SHA256 with the following Powershell cmd:
Enable-TlsCipherSuite -Name TLS_CHACHA20_POLY1305_SHA256 -Position 0
Verify QUIC traffic (443/UDP) is allowed on your server and on your network by Windows Defender Firewall
(Get-NetFirewallRule) | ?{ $_.DisplayName -eq "World Wide Web Services (QUIC Traffic-In)" }
If Get-NetFirwallRule provides no results, open up your firewall to allow QUIC traffic for Internet Information Services (IIS) [UDP 443]:
New-NetFirewallRule -DisplayName "Allow QUIC" -Direction Inbound -Protocol UDP -LocalPort 443 -Action Allow -LocalOnlyMapping $true
Add a Custom HTTP Response Header (important to add this at the global level in IIS, otherwise if done at the site level it will be overwritten upon installing the next SmarterMail update)
Name: alt-svc
Value: h3=":443";
If you have any network firewalls, you must allow UDP for destination port 443 for all traffic to your SmarterMail's IP Address. You may also have to disable UDPFLOOD if enabled.

After all of that you should be able to test it either in your browser DevTools (you may have to select the PROTOCOL column) or with a "curl --http3 https://yoursite.com -I". You can also use a third-party site such as https://www.http3check.net/ to verify that your SmarterMail webmail is being served with HTTP/3 using TLSv1.3 with QUIC enabled.

1 Reply

Reply to Thread
0
Zach Sylvester Replied
Employee Post
Hey Scarab, 

Thanks for sharing this information. This could be really helpful to other users. 

Thanks again, 
Zach Sylvester System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread