Set up and configure secure SSL / TLS protocol on MDaemon server 13 email server.

1 Activate HTTPS Communications

To configure the HTTPS server and use this protocol, you must first obtain the relevant digital certificate from Validation  CA (1) CA (or self-signed certificate (2)  ). Getting a certificate has steps that you can find out for more information in this regard to the report provided by Amir Kabir University of Technology’s Apia Research Center at the following address:

http://apa.aut.ac.ir/?p=971

1-1 Make a self-signed certificate

Here’s how to create HTTPS-enabled communications in WorldClient by creating and using a self-signed certificate.

On the toolbar, select Setup, then Web & IM Services.

1) In the toolbar, select Setup, then Web & IM Services.

d1

     2) In the toolbar, select Setup, then Web & IM Services.

d2

     3) By choosing the Create certificate option, you can create the certificate.

d3

d4

  •  Enable  SSL ,  STARTTLS  and  STLS

This option is for activating the SSL / TLS protocol. By clicking on this option, your server will be able to support SSL / TLS, and after selecting this option, you must select your desired certificate from the list.

  • Allocation of  dedicated SSL ports  for  SMTP IMAP ,   and  POP3 services

This option is for assigning dedicated SSL ports to SMTP, IMAP, and POP3 servers, and the Port Assignment page is as follows:

d5

 

  • Select a certificate to use  HTTPS / SSL

In this section, your SSL certificates will be displayed so you can select the option to use MDaemon.

  • Manufacturing certificate

Here you can create your own SSL certificate.

d6

 After completing the figure above, click on the Restart servers option to restart SMTP / IMAP / POP servers.In fact, whenever a change is made in the certificate, the servers must be restarted.

2.1 Use of certificates issued from certification centers

When you get a certificate from the certificate authority, you can use Microsoft Management Console to transfer it to the MDaemon certificate store section. To do this, you must do the following:

  1. Go to Start> Run … and type “mmc / a” in the appropriate box and click OK.
  2. In the window that opens, go to File »Add / Remove Snap-in ….
  3. Click Add.
  4. Click Certificates and then Add.
  5. Select Computer account and then click Next.
  6. Select Local Computer, and then click Finish.
  7. Click Close and then Ok.
  8. In the left pane, click Personal, then Certificates (for self-signed certificates, select the Trusted Root Certification Authorities section).
  9. In the main menu, go to Action »All Tasks» Import … and then click Next.
  10. Select the desired certificate file and then finish the next steps.

 

2 Configuring secure SSL / TLS protocol

This section describes how to securely configure the SSL / TLS protocol on Windows Server 2012 to use the MDaemon email service. Exceptions include the exclusion of some cryptographic algorithms to reduce attacks like FREAK, CRIME and LogJAM, disable unsafe SSL versions, establish strong encryption that supports FSD (Forward Secrecy), and activates HSTS. It should be noted that MDaemon relies on Windows to provide an SSL service and uses Windows settings. We will continue to configure the secure SSL / TLS protocol on Windows Server 2012.

To check the security status of your server’s SSL / TLS protocol, you can refer to the tool designed for this purpose by the Amir Kabir University of Technology’s Apia Research Center at the following address.

https://sslcheck.certcc.ir

1-2 Disable SSLv2 and SSLv3

SSLv2 and SSLv3 are unsafe and should be disabled. To disable them, follow these steps:

1) Open the Registry Editor window as Administrator Access (Run as administrator) .2

2) In this window go to the following:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ Schannel \ Protocols \

d7

     3. Right-click Protocols, and then click New> Key.

d8

     4) Name it “SSL 3.0.”

     5) Right-click on SSL 3.0 and click New> Key.

d9

     6) Name it “Client”.

     7) Repeat step 5 and place the name “Server” this time.

     8) Right-click on Client and go to New> DWORD (32-bit) Value.

d10

 

     9) Name it “DisabledByDefault” and its value “1”.

d11

 

     10) Right-click on Server and go to New> DWORD (32-bit) Value.

d12

 

     11) Name it “Enabled” and set it to “0”.

d13
12) Restart Windows.

Note:  Alternatively, you can disable SSLv2. You just need to put it “SSL 2.0” in step 4.

2-2 Disable weak encryption algorithms

We suggest that you use the following steps to use strong cryptographic algorithms and deactivate weak cryptography. Be careful that the ordering of the algorithms is very important because the algorithms are selected sequentially.

  1. Open the msc window as the Run as administrator.
  2. Go to the following:

Computer Configuration  >> Administrative Templates >> Network >> SSL Configuration Settings

  1. Click the SSL Cipher Suite Order to edit the accepted encryption algorithms. Note that the editor only accepts 1023 bytes, and moreover, it does not accept any warnings.

Change the encryption that it accepts as follows (Suggested encryption for use on Windows 8.1 and Windows Server 2012 R2):

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 *

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384  *

Adding the HSTS header 3-2

If possible, you must enable the (2)  HSTS feature so that browsers can communicate with your site only with the HTTPS protocol.

1) Open the IIS Manager window and select ‘HTTP Response Headers’.

d14

     2) Click the Add button as shown below.

d15

 

     3) Enter the requested information in the appropriate window.

strict-transport-security 
max-age = 31536000; includeSubdomains

 

d16

4) Click OK.

 Source:

https://apa.aut.ac.ir/?p=162

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top