2016/04/27

How to verify SMTP server TLS version

How to verify SMTP server TLS version

For the past two decades, Internet population has exploded exponentially. SSL and TLS protocol have been doing their best to protect users during Internet communication underlying different types of Internet applications such as web browsing and mail delivery.

SSL v3, TLS v1.0, and TLS v1.1 were once to be flawless. After many exploits, such as Heartbeat, Beast, Poodle, and Crime, were attacking these old SSL / TLS encryption schemes, protection became almost useless. That is why SSL becomes obsolete and TLS has evolved to TLS  v1.2.  


If you are running your own on-premises mail server, then you need to be aware of whether or not the data encryption security level of your mail server is up to date? The most updated TLS protocol version is v1.2. For a better understanding of both SSL and TLS, please refer to Wikipedia on Transport Layer Security 


There are several websites that are able to verify both SSL and TLS security level of your mail server such as:


http://www.checktls.com/index.html
https://ssl-tools.net/mailservers


These tests are important because they give you information about whether your mail server is robust enough on all TCP ports that are used during inbound and outbound SSL/TLS mail delivery, including TCP 993, 995, 587 and 465.   

Besides SSL and TLS, there are several protocols you need to make sure your mail server also supports and/or prevents attacks: 
  1. PFS (Perfect Forward Secrecy),
  2. Heartbleed
  3. BEAST (Browser Exploit Against SSL/TLS) 
  4. POODLE
  5. CRIME (Compression Ratio Info-leak Made Easy)
  6. Weak ciphers. For optimal cipher protection, you may use the following string:

    "ALL:!ECDHE-RSA-RC4-SHA:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:@STRENGTH"
  7. SHA256 (https://en.wikipedia.org/wiki/SHA-2)
As a summary, a mail server equipped with TLS v1.2, PFS, Heartbleed-free, strong ciphers are considered to be optimally safeguarded against hacker attacks. It is difficult to configure a mail server to have all these criteria. Here is a mail server option called EVO Mail Server that is natively having all the above built-in. By the way, a backward compatibility with SSL v3, TLS v1.0 and TLS v1.1 is somehow needed in a real-world environment because some mail clients applications may not yet be updated to support TLS v1.2.

1 comment: