1 Activate HTTPS Communications
To configure the HTTPS server and use this protocol, you must first obtain the relevant digital certificate from Validation CA (1) CA (or self-signed certificate (2) ). Getting a certificate has steps that you can find out for more information in this regard to the report provided by Amir Kabir University of Technology’s Apia Research Center at the following address:
1-1 Make a self-signed certificate
Here’s how to create HTTPS-enabled communications in WorldClient by creating and using a self-signed certificate.
On the toolbar, select Setup, then Web & IM Services.
1) In the toolbar, select Setup, then Web & IM Services.
2) In the toolbar, select Setup, then Web & IM Services.
3) By choosing the Create certificate option, you can create the certificate.
- Enable SSL , STARTTLS and STLS
This option is for activating the SSL / TLS protocol. By clicking on this option, your server will be able to support SSL / TLS, and after selecting this option, you must select your desired certificate from the list.
- Allocation of dedicated SSL ports for SMTP , IMAP , and POP3 services
This option is for assigning dedicated SSL ports to SMTP, IMAP, and POP3 servers, and the Port Assignment page is as follows:
- Select a certificate to use HTTPS / SSL
In this section, your SSL certificates will be displayed so you can select the option to use MDaemon.
- Manufacturing certificate
Here you can create your own SSL certificate.
After completing the figure above, click on the Restart servers option to restart SMTP / IMAP / POP servers.In fact, whenever a change is made in the certificate, the servers must be restarted.
2.1 Use of certificates issued from certification centers
When you get a certificate from the certificate authority, you can use Microsoft Management Console to transfer it to the MDaemon certificate store section. To do this, you must do the following:
- Go to Start> Run … and type “mmc / a” in the appropriate box and click OK.
- In the window that opens, go to File »Add / Remove Snap-in ….
- Click Add.
- Click Certificates and then Add.
- Select Computer account and then click Next.
- Select Local Computer, and then click Finish.
- Click Close and then Ok.
- In the left pane, click Personal, then Certificates (for self-signed certificates, select the Trusted Root Certification Authorities section).
- In the main menu, go to Action »All Tasks» Import … and then click Next.
- Select the desired certificate file and then finish the next steps.
2 Configuring secure SSL / TLS protocol
This section describes how to securely configure the SSL / TLS protocol on Windows Server 2012 to use the MDaemon email service. Exceptions include the exclusion of some cryptographic algorithms to reduce attacks like FREAK, CRIME and LogJAM, disable unsafe SSL versions, establish strong encryption that supports FSD (Forward Secrecy), and activates HSTS. It should be noted that MDaemon relies on Windows to provide an SSL service and uses Windows settings. We will continue to configure the secure SSL / TLS protocol on Windows Server 2012.
To check the security status of your server’s SSL / TLS protocol, you can refer to the tool designed for this purpose by the Amir Kabir University of Technology’s Apia Research Center at the following address.
1-2 Disable SSLv2 and SSLv3
SSLv2 and SSLv3 are unsafe and should be disabled. To disable them, follow these steps:
1) Open the Registry Editor window as Administrator Access (Run as administrator) .2
2) In this window go to the following:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ Schannel \ Protocols \
3. Right-click Protocols, and then click New> Key.
4) Name it “SSL 3.0.”
5) Right-click on SSL 3.0 and click New> Key.
6) Name it “Client”.
7) Repeat step 5 and place the name “Server” this time.
8) Right-click on Client and go to New> DWORD (32-bit) Value.
9) Name it “DisabledByDefault” and its value “1”.
10) Right-click on Server and go to New> DWORD (32-bit) Value.
11) Name it “Enabled” and set it to “0”.
12) Restart Windows.
Note: Alternatively, you can disable SSLv2. You just need to put it “SSL 2.0” in step 4.
2-2 Disable weak encryption algorithms
We suggest that you use the following steps to use strong cryptographic algorithms and deactivate weak cryptography. Be careful that the ordering of the algorithms is very important because the algorithms are selected sequentially.
- Open the msc window as the Run as administrator.
- Go to the following:
Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings
- Click the SSL Cipher Suite Order to edit the accepted encryption algorithms. Note that the editor only accepts 1023 bytes, and moreover, it does not accept any warnings.
Change the encryption that it accepts as follows (Suggested encryption for use on Windows 8.1 and Windows Server 2012 R2):
Adding the HSTS header 3-2
If possible, you must enable the (2) HSTS feature so that browsers can communicate with your site only with the HTTPS protocol.
1) Open the IIS Manager window and select ‘HTTP Response Headers’.
2) Click the Add button as shown below.
3) Enter the requested information in the appropriate window.
max-age = 31536000; includeSubdomains
4) Click OK.