TLS 1.2 Enabled but hMailAdmin Fails to work

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
User avatar
VadaDosaIdly
Normal user
Normal user
Posts: 32
Joined: 2020-05-26 16:03

TLS 1.2 Enabled but hMailAdmin Fails to work

Post by VadaDosaIdly » 2021-10-28 23:08

Hello,

With latest beta release hMailServer 5.6.8 - Build 2574, I am unable to login to hMailAdmin. The OS is Win 2016, hMailserver database is SQL Server 2016.
As per Microsoft, following changes were made to windows registry. See article https://support.microsoft.com/en-us/top ... 268bb10392.

Now, registry has client and server sub keys for TLS 1.0, TLS 1.1 and TLS 1.2. Both client and Server subkeys has two DWORD entries known as DisabledByDefault and Enabled as shown below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DWORD name: DisabledByDefault DWORD value: 0
DWORD name: Enabled DWORD value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
DWORD name: DisabledByDefault DWORD value: 0
DWORD name: Enabled DWORD value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
DWORD name: DisabledByDefault DWORD value: 0
DWORD name: Enabled DWORD value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
DWORD name: DisabledByDefault DWORD value: 0
DWORD name: Enabled DWORD value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
DWORD name: DisabledByDefault DWORD value: 1
DWORD name: Enabled DWORD value: 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
DWORD name: DisabledByDefault DWORD value: 1
DWORD name: Enabled DWORD value: 0


Above two subkeys for TLS 1.0 indicates TLS 1.0 is disabled. However, this setting is making hMailAdmin application fail to connect to SQL server. It shows SSL Error.

Therefore, I have to enable TLS 1.0 to make hMailAdmin and SMTP to work without fail. It is not good as TLS 1.0 is considered as less secured and can cause threat to the security.

Does beta release hMailServer 5.6.8 - Build 2574 works with TLS 1.0 disabled?

Both Database and hMailAdmin application run on same machine.
Any recommendation? What I am missing here?

User avatar
mattg
Moderator
Moderator
Posts: 21679
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by mattg » 2021-10-29 02:19

What exactly are you trying to achieve

TLSv1.2 between the hMailserver and the database
Between hmailserver and mail clients
Between hMailserver and other mail servers??

Is this on your hMailserver machine?
Is this on client machines?


hMailserver uses OpenSSL rather than Microsoft's builtin SSL connectors, except for the database connection for MS SQL only
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
VadaDosaIdly
Normal user
Normal user
Posts: 32
Joined: 2020-05-26 16:03

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by VadaDosaIdly » 2021-10-29 18:26

Let me explain.
I need to disable week protocol TLS 1.0 on Windows system Controls for then SCHANNEL of SecurityProviders and keep only the most strong protocol TLS 1.2 enabled.

When I disable TLS 1.0 at windows registry, the SQL Server Management Studio client running on remote machine is able to connect with database on server. Therefore, SQL server accepting communcations when TLS 1.0 tured off. However, the hMailAdmin and hMailServer application running on same server of database is failing to connect with SQL server. MS Outlook email client is failing to connect and cannot send emails via SMTP and cannot read emails at IMAP services.

As per release notes, beta release hMailServer 5.6.8 - Build 2574 supports TLS 1.2 & 1.3 protocols therefore my assumption is hMailAdmin and hMailServer applications should function when though TLS 1.0 is disabled on the server system. Is there a switch for INI file that would force hMailAdmin and hMailServer applications to use TLS 1.2 protocol?

User avatar
SorenR
Senior user
Senior user
Posts: 5016
Joined: 2006-08-21 15:38
Location: Denmark

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by SorenR » 2021-10-29 20:13

VadaDosaIdly wrote:
2021-10-29 18:26
Let me explain.
I need to disable week protocol TLS 1.0 on Windows system Controls for then SCHANNEL of SecurityProviders and keep only the most strong protocol TLS 1.2 enabled.

When I disable TLS 1.0 at windows registry, the SQL Server Management Studio client running on remote machine is able to connect with database on server. Therefore, SQL server accepting communcations when TLS 1.0 tured off. However, the hMailAdmin and hMailServer application running on same server of database is failing to connect with SQL server. MS Outlook email client is failing to connect and cannot send emails via SMTP and cannot read emails at IMAP services.

As per release notes, beta release hMailServer 5.6.8 - Build 2574 supports TLS 1.2 & 1.3 protocols therefore my assumption is hMailAdmin and hMailServer applications should function when though TLS 1.0 is disabled on the server system. Is there a switch for INI file that would force hMailAdmin and hMailServer applications to use TLS 1.2 protocol?
You did not read the hMailServer documentation at all? https://www.hmailserver.com/documentati ... e=overview

Not sure hMailServer support TLS protocols on the database layer.

If you want TLS enabled for IMAP and SMTP configure it in hMailServer and add the certificate to hMailServer.

hMailServer do NOT! ... repeat ... NOT! look in the Windows Registry for ANYTHING! All things SSL/TLS is based on OpenSSL ONLY!

Think about it ... I have hMailServer running on a Windows Server 2003 R2 serving TLS1.3 to my clients on IMAP and SMTP. ;-)
Oh and I have a copy doing the same running on Windows XP SP3 ... Do Microsoft support TLS1.3 on Windows XP?
SørenR.

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
- Douglas Adams

User avatar
mattg
Moderator
Moderator
Posts: 21679
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by mattg » 2021-10-30 03:50

MS SQL Server Database connections from hMailserver ver 5.7 can be TLSv1.2, I think
(But 5.7 is ALPHA and won't meet the criteria for whichever certification you are looking for)

hMailserver connecting to other mail clients uses the internal switches in hMailserver, not Windows registry keys

If you are looking for connect using ver 5.6.8 securely to a database, you will need to use another database, either MySQL or PostgreSQL, who I think both use openSSL for connection security - again no windows registry entries matter
VadaDosaIdly wrote:
2021-10-29 18:26
When I disable TLS 1.0 at windows registry, the SQL Server Management Studio client running on remote machine is able to connect with database on server. Therefore, SQL server accepting communcations when TLS 1.0 tured off. However, the hMailAdmin and hMailServer application running on same server of database is failing to connect with SQL server. MS Outlook email client is failing to connect and cannot send emails via SMTP and cannot read emails at IMAP services.
Not only do you have to turn off TLSv1.0, but you need to turn ON TLSv1.2, and depending on your OS, may also need to add TLSv1.2 as an option.

However NONE OF THIS should impact on hMailserver connecting to the SQL server database, except that the default SQL Server connector that ships with SQL Express doesn't do ANY encryption at all. You need to continue to use NO Database connection security if you use SQL Server with hMailserver.
VadaDosaIdly wrote:
2021-10-29 18:26
As per release notes, beta release hMailServer 5.6.8 - Build 2574 supports TLS 1.2 & 1.3 protocols therefore my assumption is hMailAdmin and hMailServer applications should function when though TLS 1.0 is disabled on the server system. Is there a switch for INI file that would force hMailAdmin and hMailServer applications to use TLS 1.2 protocol?
Supports those protocols for connections with mail clients and other servers, through internal switches in the admin GUI - completely unrelated to database connections.


But also, if the database is on the same machine as hMailserver, why would you need to encrypt the connection between hmailserver and the database? Do you also encrypt the file system where the hmailserver data directory sits?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
VadaDosaIdly
Normal user
Normal user
Posts: 32
Joined: 2020-05-26 16:03

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by VadaDosaIdly » 2021-10-30 04:58

Hello Soren and mattg,

I can see SSL certificate already added at hMailAdmin.
IMAP (143) and SMTP (465) ports are configured to use SSL added certificate.
Performed Diagnostic test and found not problem.
Both TLS 1.1 and TLS 1.2 are enabled.

When I disable TLS 1.0 by seeing registry keys as shown in picture, I get error while login message as shown below

I do not need to encrypt connection between hmailserver and database. I do not know why hMailAdmin is looking for TLS path in first place.

Image

Image
Attachments
error.png
error.png (4.91 KiB) Viewed 727 times
Untitled.png

User avatar
mattg
Moderator
Moderator
Posts: 21679
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by mattg » 2021-10-30 09:39

VadaDosaIdly wrote:
2021-10-30 04:58
I do not need to encrypt connection between hmailserver and database.
Then WHY are you playing with the registry entries?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
VadaDosaIdly
Normal user
Normal user
Posts: 32
Joined: 2020-05-26 16:03

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by VadaDosaIdly » 2021-10-30 22:24

Hello mattg,

Looks like you have read my first post. Security advisor recommends disabling TLS 1.0 at the operating system level. TLS 1.0 is now flagged as weaker protocol and can compromise network level security.
Please read articles here for your information https://blogs.windows.com/msedgedev/202 ... edge-ie11/.
Please Microsoft KB article here https://support.microsoft.com/en-us/top ... 268bb10392.

Do you suggest any other alternative ways of disabling TLS 1.0?

User avatar
mattg
Moderator
Moderator
Posts: 21679
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by mattg » 2021-10-31 02:29

'Security advisor'...enough said.


As I've said already.
If you want to secure the connection between hMailserver and the database (using other than TLSv1.0), your options are
#1 Use a different database than the MSSQL Server. The reason is that that connector supplied with the MS SQL CE doesn't do TLSv1.2.
#2 Use an ALPHA version of hMailserver that does come with the connector.


I understand that the connections to both MySQL and to PostgresSQL use OpenSSL libraries, and will work independently of the Windows Registry changes that you have made.

What operating system is your hmailserver installed on?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
VadaDosaIdly
Normal user
Normal user
Posts: 32
Joined: 2020-05-26 16:03

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by VadaDosaIdly » 2021-11-04 03:21

Hello mattg,

Now, changing from MS SQL server to other database is not possible. I need to make sure ihMailServer workes with MS SQL Server while TLS 1.0 is diabled.

I am not sure why you are saying connector supplied with the MS SQL CE doesn't do TLSv1.2. :?: :x We are able to remotely connect to MS SQL Server client application to the database server even though TLS 1.0 is disabled. I am damn sure MS SQL Server works fine when TLS 1.0 disabled.

Can you tell me the ALPHA version number? :?

OS is Windows 2016 Server & Database is MS SQL Server 2016

User avatar
mattg
Moderator
Moderator
Posts: 21679
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by mattg » 2021-11-04 05:54

https://build.hmailserver.com/

version is 5.7
Check the word 'success' then look in artifacts
VadaDosaIdly wrote:
2021-11-04 03:21
I am not sure why you are saying connector supplied with the MS SQL CE doesn't do TLSv1.2
hMailserver bundles MS SQL CE. The bundle that is included with the current (and I believe) Beta versions of hMailserver doesn't do TLSv1.2

I know that you can use TLSv1.2 with MS SQL CE, but not with the bundle included in hMailserver
You could use the hMailserver source, change the bundle that is included to a version that allows for TLSv1.2 and THEN build your own version of hMailserver - but that isn't for the feint of heart.

Much easier to use a hmailserver 5.7 version

Test if you can, and certainly backup first - it isn't that easy to go back to 5.6.8
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
VadaDosaIdly
Normal user
Normal user
Posts: 32
Joined: 2020-05-26 16:03

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by VadaDosaIdly » 2021-11-06 23:44

TLS 1.0 is worldwide expiring soon as is week protocol and vulnerable for attacks.

Support for TLS 1.3 added. See notes of change LOG for beta version 5.6.8 Build 2451. https://www.hmailserver.com/changelog?p ... build=2451

Does hMailsSever use ADODB or OLEDB driver or something else to connect with MS SQL Server database?

User avatar
SorenR
Senior user
Senior user
Posts: 5016
Joined: 2006-08-21 15:38
Location: Denmark

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by SorenR » 2021-11-07 01:44

VadaDosaIdly wrote:
2021-11-06 23:44
Support for TLS 1.3 added. See notes of change LOG for beta version 5.6.8 Build 2451. https://www.hmailserver.com/changelog?p ... build=2451
That's TLS 1.3 for SMTP, IMAP and POP3 based on OpenSSL 1.1.x
SørenR.

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
- Douglas Adams

User avatar
SorenR
Senior user
Senior user
Posts: 5016
Joined: 2006-08-21 15:38
Location: Denmark

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by SorenR » 2021-11-07 02:04

VadaDosaIdly wrote:
2021-11-06 23:44
Does hMailsSever use ADODB or OLEDB driver or something else to connect with MS SQL Server database?
From the source it looks like ADODB.
SørenR.

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
- Douglas Adams

User avatar
mattg
Moderator
Moderator
Posts: 21679
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS 1.2 Enabled but hMailAdmin Fails to work

Post by mattg » 2021-11-07 03:53

VadaDosaIdly wrote:
2021-11-06 23:44
TLS 1.0 is worldwide expiring soon
No
VadaDosaIdly wrote:
2021-11-06 23:44
as is week protocol and vulnerable for attacks.
Has been for a long time

But if you have a connection on a single machine between an application and a database, and someone can hack and decrypt this connection, then you already have have much bigger issues.

AGAIN, turning on or off the registry settings does NOT IMPACT on mail delivery, ONLY on the connection between hMailserver (application) and the the Microsoft SQL Server database. It doesn't not affect connections to other databases as they use OpenSSL secured connections.

The 'problem' that you see only exists because the connectors shipped with the MS SQL CE used as the default database by hMailsever only works with TLSv1.0
Updating the ADODB drivers may work, but equally may not.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply