Require SSL/TLS for authentication

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
RvdH
Senior user
Senior user
Posts: 1684
Joined: 2008-06-27 14:42
Location: Netherlands

Require SSL/TLS for authentication

Post by RvdH » 2021-09-15 09:32

Being 2021 and all that, TLS 1.0 and TLS 1.1 should be disabled by know.
Besides that I am wondering how many of you enabled "Require SSL/TLS for authentication" on the "Internet" IP range within hMailServer or do most of you still accept authentication without SSL/TLS?

I think we have still some clients (@work hmailserver instance) that authenticate without using SSL/TLS, mainly on ports 587 and 110 (both being STARTTLS optional).

SMTP 25 (AUTH disabled)
POP 110 (STARTTLS optional)
IMAP 143 (Entirely closed from outside, only webmail uses this, eg: listens on 127.0.0.1)
SMTP 465 (SSL/TLS)
SMTP 587 (STARTTLS optional)
IMAP 993 (SSL/TLS)
POP 995 (SSL/TLS)

Should i just turn the switch? Or do you notify clients without SSL/TLS? How do you monitor clients without SSL/TLS?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 9236
Joined: 2011-09-08 17:48

Re: Require SSL/TLS for authentication

Post by jimimaseye » 2021-09-15 11:36

How do you monitor clients without SSL/TLS?
My short answer:

Switch it off, wait for the complaints, count them. 8)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 2983
Joined: 2017-09-12 17:57

Re: Require SSL/TLS for authentication

Post by palinka » 2021-09-15 12:07

jimimaseye wrote:
2021-09-15 11:36
How do you monitor clients without SSL/TLS?
My short answer:

Switch it off, wait for the complaints, count them. 8)
^ this.

I think Soren has a method of capturing what you're looking for using regex on the received header by looking at SMTPS, ESMTPS, etc.

User avatar
RvdH
Senior user
Senior user
Posts: 1684
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Require SSL/TLS for authentication

Post by RvdH » 2021-09-15 12:11

palinka wrote:
2021-09-15 12:07
jimimaseye wrote:
2021-09-15 11:36
How do you monitor clients without SSL/TLS?
My short answer:

Switch it off, wait for the complaints, count them. 8)
^ this.

I think Soren has a method of capturing what you're looking for using regex on the received header by looking at SMTPS, ESMTPS, etc.
Capturing headers is not needed anymore (in my build) :)
https://github.com/hmailserver/hmailserver/pull/391

Just started monitoring, especially POP clients seem to use unencrypted connections (not so strange as this is Outlooks default setting i believe)
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 2983
Joined: 2017-09-12 17:57

Re: Require SSL/TLS for authentication

Post by palinka » 2021-09-15 12:23

As a matter of policy, all client connections should always be encrypted in order to keep internal communications private.

User avatar
katip
Senior user
Senior user
Posts: 969
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Require SSL/TLS for authentication

Post by katip » 2021-09-15 12:48

RvdH wrote:
2021-09-15 09:32
SMTP 25 (AUTH disabled)
POP 110 (STARTTLS optional)
IMAP 143 <<=========== STARTLS optional
SMTP 465 (SSL/TLS)
SMTP 587 (STARTTLS optional)
IMAP 993 (SSL/TLS)
POP 995 (SSL/TLS)
Should i just turn the switch? Or do you notify clients without SSL/TLS? How do you monitor clients without SSL/TLS?
we have it here as above, same as your suggestion + 143 STARTTLS opt.
i'm not sure about a default on/off. i'd suggest leave it as is. we setup all clients 587 & phones 993 and PCs 143 STARTTLS or 110 STARTLS anyway. YMMV
Katip
--
HMS 5.7.0, MariaDB 10.4.10, SA 3.4.4, ClamAV 0.103.2

User avatar
SorenR
Senior user
Senior user
Posts: 4901
Joined: 2006-08-21 15:38
Location: Denmark

Re: Require SSL/TLS for authentication

Post by SorenR » 2021-09-15 14:10

palinka wrote:
2021-09-15 12:07
jimimaseye wrote:
2021-09-15 11:36
How do you monitor clients without SSL/TLS?
My short answer:

Switch it off, wait for the complaints, count them. 8)
^ this.

I think Soren has a method of capturing what you're looking for using regex on the received header by looking at SMTPS, ESMTPS, etc.
Yes, for listing cipher, bits etc... taken from the Received header. I added oClient.TLS to my code back in January. RvdH fixed my initial (broken) attempt to list cipher, bits etc. with his recent (#391) update.
SørenR.

Engineer (noun)
- I'm Not Arguing, I'm Just Explaining Why I'm Right

User avatar
SorenR
Senior user
Senior user
Posts: 4901
Joined: 2006-08-21 15:38
Location: Denmark

Re: Require SSL/TLS for authentication

Post by SorenR » 2021-09-15 14:25

RvdH wrote:
2021-09-15 09:32
Being 2021 and all that, TLS 1.0 and TLS 1.1 should be disabled by know.
Besides that I am wondering how many of you enabled "Require SSL/TLS for authentication" on the "Internet" IP range within hMailServer or do most of you still accept authentication without SSL/TLS?

I think we have still some clients (@work hmailserver instance) that authenticate without using SSL/TLS, mainly on ports 587 and 110 (both being STARTTLS optional).

SMTP 25 (AUTH disabled)
POP 110 (STARTTLS optional)
IMAP 143 (Entirely closed from outside, only webmail uses this, eg: listens on 127.0.0.1)
SMTP 465 (SSL/TLS)
SMTP 587 (STARTTLS optional)
IMAP 993 (SSL/TLS)
POP 995 (SSL/TLS)

Should i just turn the switch? Or do you notify clients without SSL/TLS? How do you monitor clients without SSL/TLS?
My server only service port 25 (optional STARTTLS), 465 (forced SSL) and 993 (forced SSL) so it's simple... Clients are ALWAYS secure(ish) and mails on port 25 is 99% certain that SPAM = NON-SSL/TLS ;-)

OpenSSL 3.0.0 so far works a treat but it took some figuring out how to compile to make it work with Boost 1.7x. :mrgreen:

Currently I only support TLS 1.2 and 1.3 on public ports. I have an old Windows XP with Outlook 2003 on an internal interface :wink:
SørenR.

Engineer (noun)
- I'm Not Arguing, I'm Just Explaining Why I'm Right

User avatar
RvdH
Senior user
Senior user
Posts: 1684
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Require SSL/TLS for authentication

Post by RvdH » 2021-09-15 14:59

Now i think of it again maybe it is not that smart to Require SSL/TLS for authentication
With turning off TLS 1.0 and TLS 1.1 i forced/instructed some clients with older devices to use POP3
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 21641
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Require SSL/TLS for authentication

Post by mattg » 2021-09-16 00:14

I have it switched on - the require SSL/TLS for AUTH - on internet IP range
If I have a regular business client that can't, I create an individualised IP range for them (until I upgrade their workstations to Windows 10)

I also have <=TLSv1.1 disabled, I only accept TLSv1.2 or TLSv1.3

Because Windows prior to Windows 10 | Server 2016 doesn't have TLSv1.2 enabled by default, and Microsoft still doesn't do TLSv1.3, for my remote auto-system-reporting tool, I do try SSL and StartTLS first, but as a fall back I have set up a custom port that accepts AUTH SMTP from an unencrypted connection.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply