Guide to setting up TLS v1.2 for email

How to setup secure SSL, TLS v1.2 on your server

    This is a guide to setting up secure SSL, TLS v1.2 email on your server to allow you to send and receive over encrypted channels using TLS v1.2

    By default Hexamail automatically supports all cipher suites for schannel configured within Windows. Som eversions of Windows do not by default support TLS v1.2 You can find out more about Windows versions cipher suites here

Checking for TLS v1.2 support

    First you need to check if your server already supports TLS v1.2. To do this use the command line openssl app available here

    openssl s_client localhost:465

    This should connect and report the version of TLS supported:
    SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 301B0000DA0389905092C8B31036ECBC8A8511F5518AA0761A787D35F03CAC4E Session-ID-ctx: Master-Key: 1B9EB7B4FB97863FB70D81143F25D28DF7850FA336813DBD904B2B314E2EA246 DA24D285D3AC2D67B854A954E6349C05 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1533119079 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes ---

    If it cannot connect check you have enabled SSL in your Hexamail Admin/SMTP Server/Network settings, and have installed and selected an appropriate certificate as per the guide to setting up ssl
    If it does connect but does not show TLSv1.2 then you may need to enable TLS on your Windows server as per the following section

Setting up TLSv1.2 support under Windows

    Windows 7 supports TLS 1.1 and TLS 1.2. However, these protocol versions are not enabled on Windows 7, Windows Server 2008 R2 by default. On Windows 8 and higher, these protocols are enabled by default.

    To enable TLS 1.1. and TLS 1.2 on Windows 7, Import the following registry keys:

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
    Alternatively download and double click the following file: enabletls12.reg

    Next recheck your TLS setup:

    openssl s_client localhost:465 -tls1_2

    This should connect and report the version of TLS supported:
    SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 301B0000DA0389905092C8B31036ECBC8A8511F5518AA0761A787D35F03CAC4E Session-ID-ctx: Master-Key: 1B9EB7B4FB97863FB70D81143F25D28DF7850FA336813DBD904B2B314E2EA246 DA24D285D3AC2D67B854A954E6349C05 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1533119079 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes ---

    References: http://support.microsoft.com/kb/245030

Solutions

Products

Company

© Hexamail Ltd. All rights reserved
Privacy EULA Sitemap