I've searched the forum for PFS and found one message relating to public folders only. What I'm looking for is a statement on PFS (perfect forward secrecy) support:
** did I miss it in the depths of property dialogs?
** if not supported yet: what is the official word on this?
Test sites detect STARTTLS on our mailenable server but indicate a fail for PFS. STARTTLS and PFS are an important security feature these days. In the german state of Bavaria, PFS is required by authorities - if not right now then very soon.
Perfect Forward Secrecy (PFS) support ?
Perfect Forward Secrecy (PFS) support ?
--
regards, Thomas Giger
regards, Thomas Giger
Re: Perfect Forward Secrecy (PFS) support ?
Hi,
You must set the web server so that it uses PFS, its not a mailenabled Problem.
Du must den Webserver so einstellen das er PFS benutzt. (IIS oder Apache)
Der link sollte dir weiterhelfen : http://www.msxfaq.de/signcrypt/tlssecurity.htm
Best Regards
You must set the web server so that it uses PFS, its not a mailenabled Problem.
Du must den Webserver so einstellen das er PFS benutzt. (IIS oder Apache)
Der link sollte dir weiterhelfen : http://www.msxfaq.de/signcrypt/tlssecurity.htm
Best Regards
Re: Perfect Forward Secrecy (PFS) support ?
Thank you for your answer and the link, but I'm still confused. I need STARTTLS plus PFS on SMTP connections, not (only) on the web interface. Or are you saying that fiddling with Windows schannel.dll settings, as mentioned in this msxfaq article, would also provide PFS for SMTP?Seppy wrote:Hi,
You must set the web server so that it uses PFS, its not a mailenabled Problem.
Du must den Webserver so einstellen das er PFS benutzt. (IIS oder Apache)
Der link sollte dir weiterhelfen : http://www.msxfaq.de/signcrypt/tlssecurity.htm
--
regards, Thomas Giger
regards, Thomas Giger
Re: Perfect Forward Secrecy (PFS) support ?
Hi,
PFS is only for browser, not for SMTP.
http://www.heise.de/security/artikel/Zu ... 23800.html
Wenn du noch Fragen hast, kannst du mir auch eine PN auf Deutsch schreiben.
PFS is only for browser, not for SMTP.
http://www.heise.de/security/artikel/Zu ... 23800.html
Wenn du noch Fragen hast, kannst du mir auch eine PN auf Deutsch schreiben.
Re: Perfect Forward Secrecy (PFS) support ?
Sorry, but not true. Why would https://de.ssl-tools.net/mailservers check for PFS if it wasn't possible with SMTP?Seppy wrote: PFS is only for browser, not for SMTP.
However, it seems that PFS with MailEnable SMTP could be achieved by configuring schannel.dll appropriately - if the Windows server version supports ECDHE / DHE, which should be the case on WS2008 [R2] and WS2012. Not on WS2003, though, and that's why I can't test it right away.
The question really is whether MailEnable uses schannel.dll or provides its own implementation. In Xwall (an austrian spam filter product), PFS is apparently implemented independently of the underlying OS, or so it seems from the single line of "documentation" about the feature. That's why I thought MailEnable might have its own implementation too. But it's okay for me if it uses whatever the OS provides through schannel.dll.
Im Moment erscheint es mir sinnvoller, hier das Thema "PFS mit SMTP" zu hinterfragen. Andere Mailserver koennen es ja auch und ich haette es gerne implementiert, habe aber nicht wirklich Lust, unser ME von WS2003 auf WS2012 umzustellen, nur um dann herauszufinden, dass es so doch nicht klappt, weil MailEnable die schannel.dll fuer SMTP gar nicht benutzt.
--
regards, Thomas Giger
regards, Thomas Giger
Re: Perfect Forward Secrecy (PFS) support ?
Ich hatte das selbe Problem wie du, erst als ich den IIS umgestellt hab ging auch der PFS check Erfolgreich durch.
Es funktioniert also.
Es funktioniert also.