Being 2021 and all that, TLS 1.0 and TLS 1.1 should be disabled by know.
Besides that I am wondering how many of you enabled "Require SSL/TLS for authentication" on the "Internet" IP range within hMailServer or do most of you still accept authentication without SSL/TLS?
I think we have still some clients (@work hmailserver instance) that authenticate without using SSL/TLS, mainly on ports 587 and 110 (both being STARTTLS optional).
SMTP 25 (AUTH disabled)
POP 110 (STARTTLS optional)
IMAP 143 (Entirely closed from outside, only webmail uses this, eg: listens on 127.0.0.1)
SMTP 465 (SSL/TLS)
SMTP 587 (STARTTLS optional)
IMAP 993 (SSL/TLS)
POP 995 (SSL/TLS)
Should i just turn the switch? Or do you notify clients without SSL/TLS? How do you monitor clients without SSL/TLS?
Require SSL/TLS for authentication
Require SSL/TLS for authentication
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Re: Require SSL/TLS for authentication
My short answer:How do you monitor clients without SSL/TLS?
Switch it off, wait for the complaints, count them.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: Require SSL/TLS for authentication
^ this.jimimaseye wrote: ↑2021-09-15 11:36My short answer:How do you monitor clients without SSL/TLS?
Switch it off, wait for the complaints, count them.
I think Soren has a method of capturing what you're looking for using regex on the received header by looking at SMTPS, ESMTPS, etc.
Re: Require SSL/TLS for authentication
Capturing headers is not needed anymore (in my build)palinka wrote: ↑2021-09-15 12:07^ this.jimimaseye wrote: ↑2021-09-15 11:36My short answer:How do you monitor clients without SSL/TLS?
Switch it off, wait for the complaints, count them.
I think Soren has a method of capturing what you're looking for using regex on the received header by looking at SMTPS, ESMTPS, etc.
https://github.com/hmailserver/hmailserver/pull/391
Just started monitoring, especially POP clients seem to use unencrypted connections (not so strange as this is Outlooks default setting i believe)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Require SSL/TLS for authentication
As a matter of policy, all client connections should always be encrypted in order to keep internal communications private.
Re: Require SSL/TLS for authentication
we have it here as above, same as your suggestion + 143 STARTTLS opt.RvdH wrote: ↑2021-09-15 09:32SMTP 25 (AUTH disabled)
POP 110 (STARTTLS optional)
IMAP 143 <<=========== STARTLS optional
SMTP 465 (SSL/TLS)
SMTP 587 (STARTTLS optional)
IMAP 993 (SSL/TLS)
POP 995 (SSL/TLS)
Should i just turn the switch? Or do you notify clients without SSL/TLS? How do you monitor clients without SSL/TLS?
i'm not sure about a default on/off. i'd suggest leave it as is. we setup all clients 587 & phones 993 and PCs 143 STARTTLS or 110 STARTLS anyway. YMMV
Katip
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8
--
HMS 5.7, MariaDB 10.4.10, SA 4.0.0, ClamAV 0.103.8
Re: Require SSL/TLS for authentication
Yes, for listing cipher, bits etc... taken from the Received header. I added oClient.TLS to my code back in January. RvdH fixed my initial (broken) attempt to list cipher, bits etc. with his recent (#391) update.palinka wrote: ↑2021-09-15 12:07^ this.jimimaseye wrote: ↑2021-09-15 11:36My short answer:How do you monitor clients without SSL/TLS?
Switch it off, wait for the complaints, count them.
I think Soren has a method of capturing what you're looking for using regex on the received header by looking at SMTPS, ESMTPS, etc.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Require SSL/TLS for authentication
My server only service port 25 (optional STARTTLS), 465 (forced SSL) and 993 (forced SSL) so it's simple... Clients are ALWAYS secure(ish) and mails on port 25 is 99% certain that SPAM = NON-SSL/TLSRvdH wrote: ↑2021-09-15 09:32Being 2021 and all that, TLS 1.0 and TLS 1.1 should be disabled by know.
Besides that I am wondering how many of you enabled "Require SSL/TLS for authentication" on the "Internet" IP range within hMailServer or do most of you still accept authentication without SSL/TLS?
I think we have still some clients (@work hmailserver instance) that authenticate without using SSL/TLS, mainly on ports 587 and 110 (both being STARTTLS optional).
SMTP 25 (AUTH disabled)
POP 110 (STARTTLS optional)
IMAP 143 (Entirely closed from outside, only webmail uses this, eg: listens on 127.0.0.1)
SMTP 465 (SSL/TLS)
SMTP 587 (STARTTLS optional)
IMAP 993 (SSL/TLS)
POP 995 (SSL/TLS)
Should i just turn the switch? Or do you notify clients without SSL/TLS? How do you monitor clients without SSL/TLS?
OpenSSL 3.0.0 so far works a treat but it took some figuring out how to compile to make it work with Boost 1.7x.
Currently I only support TLS 1.2 and 1.3 on public ports. I have an old Windows XP with Outlook 2003 on an internal interface
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Require SSL/TLS for authentication
Now i think of it again maybe it is not that smart to Require SSL/TLS for authentication
With turning off TLS 1.0 and TLS 1.1 i forced/instructed some clients with older devices to use POP3
With turning off TLS 1.0 and TLS 1.1 i forced/instructed some clients with older devices to use POP3
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Require SSL/TLS for authentication
I have it switched on - the require SSL/TLS for AUTH - on internet IP range
If I have a regular business client that can't, I create an individualised IP range for them (until I upgrade their workstations to Windows 10)
I also have <=TLSv1.1 disabled, I only accept TLSv1.2 or TLSv1.3
Because Windows prior to Windows 10 | Server 2016 doesn't have TLSv1.2 enabled by default, and Microsoft still doesn't do TLSv1.3, for my remote auto-system-reporting tool, I do try SSL and StartTLS first, but as a fall back I have set up a custom port that accepts AUTH SMTP from an unencrypted connection.
If I have a regular business client that can't, I create an individualised IP range for them (until I upgrade their workstations to Windows 10)
I also have <=TLSv1.1 disabled, I only accept TLSv1.2 or TLSv1.3
Because Windows prior to Windows 10 | Server 2016 doesn't have TLSv1.2 enabled by default, and Microsoft still doesn't do TLSv1.3, for my remote auto-system-reporting tool, I do try SSL and StartTLS first, but as a fall back I have set up a custom port that accepts AUTH SMTP from an unencrypted connection.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation