TLS <=1.1 - should we turn it off for Hmailserver?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

TLS <=1.1 - should we turn it off for Hmailserver?

Post by jimimaseye » 2021-06-15 09:58

Yes.


Annotation 2021-06-15 085511.png
Annotation 2021-06-15 085511.png (10.56 KiB) Viewed 5264 times

Not a single email less than TLS1.2 received (by our O365 exchange) in 44k messages in this sampling. So disabling 1.1 and below for messages shouldnt pose any problems.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

ashtec014
Normal user
Normal user
Posts: 234
Joined: 2019-09-05 11:56

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by ashtec014 » 2021-06-15 10:59

I have TLS versions 1.0, 1.1 and 1.2 checked on HMS 5.7
v1.3 is untick.

- should I disable v1.0, v1.1 and enable v1.2 and v1.3?

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by jimimaseye » 2021-06-15 12:55

Certainly ensure 1.2 and 1.3 is ticked (if they are unticked they will never be used). Similarly if you untick the unsafe <=1.1 then it prevents the unsafe connections. But going by my previous post the genuine email server world seems to have adapted 1.2 anyway.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by palinka » 2021-06-15 13:08

But there's that one server in Timbuktu that hasn't upgraded anything since 2002 and yet refuses to die. Could be the monk energy and positive vibes keeping it going (spam free, of course).

tunis
Senior user
Senior user
Posts: 351
Joined: 2015-01-05 20:22
Location: Sweden

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by tunis » 2021-06-15 13:09

Here is my numbers of may.

Code: Select all

Count Name   
----- ----   
22076 TLSv1.2
 2901 TLSv1.3
  171 TLSv1  
    2 TLSv1.1
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by mattg » 2021-06-15 13:28

I disabled TLS <=1.1 on 31 October 2018

viewtopic.php?f=10&t=33242&p=207674
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jim.bus
Senior user
Senior user
Posts: 1571
Joined: 2011-05-28 11:49
Location: US

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by jim.bus » 2021-06-16 06:46

This has been a question for me for quite some time.

What value is there in disabling TLS 1.0 or 1.1?

Yes I know they are insecure and subject to hacks but is no security more preferable than the insecure TLS 1.0 or 1.1. On the surface one would think that any level of security would be better than no security even if that security is hackable. So, unless TLS 1.0 or 1.1 causes less security than no security why would one want to disable it? And as palinka points out there is that one server which only uses TLS 1.0 or 1.1 and doesn't support TLS 1.2 or 1.3.

I do know that hMailServer can only support I believe it is 4 versions of Security currently in Version 5.6.8-B2538 TLS 1.0, 1.1, 1.2, and 1.3. So by disabling TLS 1.0 and 1.1 that would make way for 2 future levels of security encryption but that could be changed when that future level of security becomes available.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by jimimaseye » 2021-06-16 08:45

jim.bus wrote:
2021-06-16 06:46
What value is there in disabling TLS 1.0 or 1.1?
Consider matts observation in his thread:
I've also found that my POP3 External Downloads use TLSv1.0 if it is available, but switch up to TLSv1.2 if that is all that is available. Perhaps hmailserver should try the strongest encryption first
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jim.bus
Senior user
Senior user
Posts: 1571
Joined: 2011-05-28 11:49
Location: US

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by jim.bus » 2021-06-16 10:21

jimimaseye wrote:
2021-06-16 08:45
jim.bus wrote:
2021-06-16 06:46
What value is there in disabling TLS 1.0 or 1.1?
Consider matts observation in his thread:
I've also found that my POP3 External Downloads use TLSv1.0 if it is available, but switch up to TLSv1.2 if that is all that is available. Perhaps hmailserver should try the strongest encryption first
[Entered by mobile. Excuse my spelling.]
I don't do External POP3 downloads so I cannot say how that works for my installation. I do use Outlook Microsoft 365 which supposedly is only supporting TLSv1.2 with TLSv1.2 supposedly deprecated in October 2020. I normally support all TLS versions in my hMailServer installation.

I temporarily disabled TLSv1.3 and TLSv1.2 and did an Outlook Microsoft 365 Send/Receive from my hMailServer installation. I found that the SSL/TLS handshake on Port 995 completed with TLSv1.1 chosen for the Send/Receive operation. Apparently hMailServer 5.6.8-B2538 selected the highest TLS Version 1.1 that was enabled and ignored the TLSv1.0 version that was enabled. Now it seems strange that Outlook was still supporting TLSv1.1 since Microsoft states it deprecated it and TLSv1.0 globally (I believe that was the term used) in October 2020 but nevertheless hMailServer apparently selected the highest internal POP3 TLS version hMailServer offered (enabled) and that Outlook must still be supporting. Since the TLSv1.0 and v1.1 were deprecated I would have thought the connection would have been made without any encryption since supposedly Outlook was only using TLSv1.2 and hMailServer had TLSv1.2 disabled.

Could mattg's observation possibly have to do with the External POP3 'Client' controlling what TLS version was used? Doesn't hMailServer just offer the highest TLS version that hMailServer has in common with what the External POP3 'Client' offers. In other words, could it have been the External 'Client' which decided what TLS version was used because it decided to only offer TLSv1.1. I'm not sure of this but doesn't the Cipher Suite also have some part of what TLS Version is used as well. I'm just speculating here because you guys all know more about security protocol selections than I do.

Plus, mattg's observations in his thread were from 2018 and my version of hmailServer Build was later than 2018 though it, of course, is possible the methodology used to choose the encryption protocol versions may not have changed since 2018.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

skrzat
Normal user
Normal user
Posts: 39
Joined: 2009-08-17 08:57

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by skrzat » 2021-07-19 10:39

tunis wrote:
2021-06-15 13:09
Here is my numbers of may.

Code: Select all

Count Name   
----- ----   
22076 TLSv1.2
 2901 TLSv1.3
  171 TLSv1  
    2 TLSv1.1
How to get such a statistics?

tunis
Senior user
Senior user
Posts: 351
Joined: 2015-01-05 20:22
Location: Sweden

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by tunis » 2021-07-19 12:44

skrzat wrote:
2021-07-19 10:39
tunis wrote:
2021-06-15 13:09
Here is my numbers of may.

Code: Select all

Count Name   
----- ----   
22076 TLSv1.2
 2901 TLSv1.3
  171 TLSv1  
    2 TLSv1.1
How to get such a statistics?
Powershell script.

Code: Select all

<# 
    hMailserver Cipher log analyzer
    
    script: hmscla.ps1
    version: 0.1.0
    update: 19-08-12
    code: Andreas Tunberg
#>



# Logfile path
$path = $PSScriptRoot

$resultatfile = "cipher-analys.txt"

$version = @()
$cipher = @()
$both = @()
$x = 0


get-childitem $path -recurse | where {$_.Extension -eq ".log" -and $_.Name -match "^hmailserver_[0-9]"} | % {
    Write-Host $_.FullName
    $x++
    $content = Get-Content $_.FullName

    foreach($line in $content) {
        $col = $line.Split("`t")
        if ($col[3] -match '"TCPConnection - TLS/SSL handshake completed.'){
            $row = $col[3].Split(",")
            $v = $row[2].Replace(" Version: ","")
            $c = $row[3].Replace(" Cipher: ","")
            $version += $v
            $cipher += $c
            $both += "$v $c"
        }
    }
}
$versions = $version | group | select count, name | sort -Property count, name -Descending
$ciphers = $cipher | group | select count, name | sort -Property count, name -Descending
$total = $both | group | select count, name | sort -Property count, name -Descending

Get-Date -Format "yyyy-MM-dd HH:mm" >> $resultatfile
echo "$x logfiles processed`n" >> $resultatfile
echo "Versions" >> $resultatfile
echo $versions >> $resultatfile
echo "Ciphers" >> $resultatfile
echo $ciphers >> $resultatfile
echo "Both" >> $resultatfile
echo $total >> $resultatfile
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.

ashtec014
Normal user
Normal user
Posts: 234
Joined: 2019-09-05 11:56

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by ashtec014 » 2021-08-01 18:24

Hi, just to share with you that when I tried to disabled TLS 1.0 on HMS 5.7 users who are trying to connect using Windows 7 OS on Outlook 2013 are unable to connect to HMS and according to my logs it is unsupported protocol. I know that it is recommended to turn off TLS 1.0 as it is already deprecated and prone to attacks but issues like this force some users to upgrade. No issues when connecting using thunderbird.

Here's the sample logs:

Code: Select all

"DEBUG"	12748	"2021-08-01 10:41:24.478"	"TCP connection started for session 832"
"DEBUG"	12748	"2021-08-01 10:41:24.478"	"Performing SSL/TLS handshake for session 832. Verify certificate: False"
"TCPIP"	12748	"2021-08-01 10:41:24.478"	"TCPConnection - TLS/SSL handshake failed. Session Id: 832, Remote IP: 61.253.75.10, Error code: 337678594, Message: unsupported protocol"
"DEBUG"	12748	"2021-08-01 10:41:24.478"	"Ending session 832"
"DEBUG"	12748	"2021-08-01 10:41:24.796"	"Pre-creating session 834"
"TCPIP"	12748	"2021-08-01 10:41:24.796"	"TCP - 61.253.75.10 connected to 200.0.0.8:993."
"DEBUG"	12748	"2021-08-01 10:41:24.796"	"Executing event OnClientConnect"
"DEBUG"	12748	"2021-08-01 10:41:25.217"	"Event completed"
"DEBUG"	12748	"2021-08-01 10:41:25.233"	"TCP connection started for session 833"
"DEBUG"	12748	"2021-08-01 10:41:25.233"	"Performing SSL/TLS handshake for session 833. Verify certificate: False"
"TCPIP"	12748	"2021-08-01 10:41:25.233"	"TCPConnection - TLS/SSL handshake failed. Session Id: 833, Remote IP: 61.253.75.10, Error code: 337678594, Message: unsupported protocol"

User avatar
johang
Senior user
Senior user
Posts: 1128
Joined: 2008-09-01 09:20

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by johang » 2021-08-02 08:59

ashtec014 wrote:
2021-08-01 18:24
Hi, just to share with you that when I tried to disabled TLS 1.0 on HMS 5.7 users who are trying to connect using Windows 7 OS on Outlook 2013 are unable to connect to HMS and according to my logs it is unsupported protocol. I know that it is recommended to turn off TLS 1.0 as it is already deprecated and prone to attacks but issues like this force some users to upgrade. No issues when connecting using thunderbird.

Here's the sample logs:

Code: Select all

"DEBUG"	12748	"2021-08-01 10:41:24.478"	"TCP connection started for session 832"
"DEBUG"	12748	"2021-08-01 10:41:24.478"	"Performing SSL/TLS handshake for session 832. Verify certificate: False"
"TCPIP"	12748	"2021-08-01 10:41:24.478"	"TCPConnection - TLS/SSL handshake failed. Session Id: 832, Remote IP: 61.253.75.10, Error code: 337678594, Message: unsupported protocol"
"DEBUG"	12748	"2021-08-01 10:41:24.478"	"Ending session 832"
"DEBUG"	12748	"2021-08-01 10:41:24.796"	"Pre-creating session 834"
"TCPIP"	12748	"2021-08-01 10:41:24.796"	"TCP - 61.253.75.10 connected to 200.0.0.8:993."
"DEBUG"	12748	"2021-08-01 10:41:24.796"	"Executing event OnClientConnect"
"DEBUG"	12748	"2021-08-01 10:41:25.217"	"Event completed"
"DEBUG"	12748	"2021-08-01 10:41:25.233"	"TCP connection started for session 833"
"DEBUG"	12748	"2021-08-01 10:41:25.233"	"Performing SSL/TLS handshake for session 833. Verify certificate: False"
"TCPIP"	12748	"2021-08-01 10:41:25.233"	"TCPConnection - TLS/SSL handshake failed. Session Id: 833, Remote IP: 61.253.75.10, Error code: 337678594, Message: unsupported protocol"
Outlook 2013 for Windows issued an update in 2015 to add TLS 1.2 support: https://docs.microsoft.com/en-us/office ... pdates-msi
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
jim.bus
Senior user
Senior user
Posts: 1571
Joined: 2011-05-28 11:49
Location: US

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by jim.bus » 2021-08-02 10:02

As I stated earlier supposedly Microsoft has deprecated all TLS support except for TLSv1.2 from Outlook as of October 2020. But yet in my Outlook Microsoft 365, I did find I could still use lower versions of TLS.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: TLS <=1.1 - should we turn it off for Hmailserver?

Post by mattg » 2021-08-03 01:10

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply