How to verify SMTP server TLS version
For the past two decades, Internet population has exploded exponentially. SSL and TLS protocol have been doing their best to protect users during Internet communication underlying different types of Internet applications such as web browsing and mail delivery.SSL v3, TLS v1.0, and TLS v1.1 were once to be flawless. After many exploits, such as Heartbeat, Beast, Poodle, and Crime, were attacking these old SSL / TLS encryption schemes, protection became almost useless. That is why SSL becomes obsolete and TLS has evolved to TLS v1.2.
If you are running your own on-premises mail server, then you need to be aware of whether or not the data encryption security level of your mail server is up to date? The most updated TLS protocol version is v1.2. For a better understanding of both SSL and TLS, please refer to Wikipedia on Transport Layer Security
There are several websites that are able to verify both SSL and TLS security level of your mail server such as:
http://www.checktls.com/index.html
https://ssl-tools.net/mailservers
These tests are important because they give you information about whether your mail server is robust enough on all TCP ports that are used during inbound and outbound SSL/TLS mail delivery, including TCP 993, 995, 587 and 465.
Besides SSL and TLS, there are several protocols you need to make sure your mail server also supports and/or prevents attacks:
- PFS (Perfect Forward Secrecy),
- Heartbleed
- BEAST (Browser Exploit Against SSL/TLS)
- POODLE
- CRIME (Compression Ratio Info-leak Made Easy)
- Weak ciphers. For optimal cipher protection, you may use the following string:
"ALL:!ECDHE-RSA-RC4-SHA:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:@STRENGTH" - SHA256 (https://en.wikipedia.org/wiki/SHA-2)
No comments:
Post a Comment