While this tutorial covers the steps for using Apache on Ubuntu 18.04 with a Let’s Encrypt certificate, the MTA-STS/TLSRPT configuration will also work on alternatives, such as Nginx on Debian.
#KERIO CONNECT DISABLE TLS 1.0 HOW TO#
In this tutorial, you will learn how to configure MTA-STS and TLSRPT for your domain name, and then interpret your first TLS Report. MTA-STS helps to ensure the security of the connection, and TLSRPT will deliver daily reports identifying any emails that weren’t sent securely-giving crucial insight into any ongoing or previous attacks against your email system. Customers may send support tickets via email that contain confidential personal information, which needs a secure TLS connection. MTA-STS helps to ensure that once at least one secure connection has been established, TLS will be used by default from there on, which greatly reduces the risk of these attacks.Īn example use case for MTA-STS and TLS Reporting is to help create a secure customer service email system for your business. Other methods for encouraging TLS for email communications, such as STARTTLS, are still susceptible to man-in-the-middle attacks, as the initial connection is unencrypted. The primary reason for implementing MTA-STS for your domain is to ensure that confidential email that is sent to you is transmitted securely over TLS. TLSRPT is similar to DMARC reporting, but for TLS. MTA-STS is complemented by SMTP TLS Reporting (TLSRPT), which gives you insight into which emails are successfully delivered over TLS, and which aren’t. It is similar to HTTP Strict Transport Security (HSTS), where a force-TLS policy is set and then cached for a specified amount of time, reducing the risk of man-in-the-middle or downgrade attacks. Mail Transport Agent Strict Transport Security (MTA-STS) is a new internet standard that allows you to enable strict force-TLS for email sent between supported email providers. My goal is to prevent the server from using TLS 1.0 even if the client only supports TLS 1.0 because TLS 1.0 has security vulnerabilities.The author selected Electronic Frontier Foundation Inc to receive a donation as part of the Write for DOnations program. If I configure IE to not allow any version of TLS, then it returns an error " Internet Explorer cannot display the web page" which is what I would expect. The problem is that the server is configured to not allow TLS 1.0, but when I configure my browser to only use TLS 1.0, then TLS 1.0 is being used. If I force TLS 1.1 in the browser, this is what WireShark look like: I've also used the OpenSSL command suggested below to confirm that TLS 1.0 is still being used: openssl s_client -tls1 -connect :443 This is what it looks like when I force TLS 1.0 in the browser: I'm using WireShark to confirm the protocol being used.
This is how I'm configuring FireFox to force TLS 1.0:
This is how I'm configuring IE to force TLS 1.0: (I can't use later versions of IE because the network admins have the settings locked down). On the client side, I'm using FireFox 48.0 and IE 9 to test. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\Enabled set to 0 (as a DWORD)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\DisabledByDefault set to 1 (as a DWORD) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled set to 0 (as a DWORD) I've done this by setting these reg keys and rebooting: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\DisabledByDefault set to 1 (as a DWORD)
#KERIO CONNECT DISABLE TLS 1.0 WINDOWS#
I've configured IIS on Windows Server 2008 R2 to not allow TLS 1.0.