Perfect Forward Secrecy (PFS) support ?

For any other discussion relating to MailEnable.
Post Reply
TMA
Posts: 5
Joined: Thu Oct 16, 2014 6:40 am

Perfect Forward Secrecy (PFS) support ?

Post by TMA »

I've searched the forum for PFS and found one message relating to public folders only. What I'm looking for is a statement on PFS (perfect forward secrecy) support:

** did I miss it in the depths of property dialogs?

** if not supported yet: what is the official word on this?

Test sites detect STARTTLS on our mailenable server but indicate a fail for PFS. STARTTLS and PFS are an important security feature these days. In the german state of Bavaria, PFS is required by authorities - if not right now then very soon.
--
regards, Thomas Giger

Seppy
Posts: 31
Joined: Thu Apr 12, 2007 9:07 am

Re: Perfect Forward Secrecy (PFS) support ?

Post by Seppy »

Hi,

You must set the web server so that it uses PFS, its not a mailenabled Problem.

Du must den Webserver so einstellen das er PFS benutzt. (IIS oder Apache)
Der link sollte dir weiterhelfen : http://www.msxfaq.de/signcrypt/tlssecurity.htm

Best Regards

TMA
Posts: 5
Joined: Thu Oct 16, 2014 6:40 am

Re: Perfect Forward Secrecy (PFS) support ?

Post by TMA »

Seppy wrote:Hi,
You must set the web server so that it uses PFS, its not a mailenabled Problem.

Du must den Webserver so einstellen das er PFS benutzt. (IIS oder Apache)
Der link sollte dir weiterhelfen : http://www.msxfaq.de/signcrypt/tlssecurity.htm
Thank you for your answer and the link, but I'm still confused. I need STARTTLS plus PFS on SMTP connections, not (only) on the web interface. Or are you saying that fiddling with Windows schannel.dll settings, as mentioned in this msxfaq article, would also provide PFS for SMTP?
--
regards, Thomas Giger

Seppy
Posts: 31
Joined: Thu Apr 12, 2007 9:07 am

Re: Perfect Forward Secrecy (PFS) support ?

Post by Seppy »

Hi,
PFS is only for browser, not for SMTP.
http://www.heise.de/security/artikel/Zu ... 23800.html

Wenn du noch Fragen hast, kannst du mir auch eine PN auf Deutsch schreiben. :)

TMA
Posts: 5
Joined: Thu Oct 16, 2014 6:40 am

Re: Perfect Forward Secrecy (PFS) support ?

Post by TMA »

Seppy wrote: PFS is only for browser, not for SMTP.
Sorry, but not true. Why would https://de.ssl-tools.net/mailservers check for PFS if it wasn't possible with SMTP?

However, it seems that PFS with MailEnable SMTP could be achieved by configuring schannel.dll appropriately - if the Windows server version supports ECDHE / DHE, which should be the case on WS2008 [R2] and WS2012. Not on WS2003, though, and that's why I can't test it right away.

The question really is whether MailEnable uses schannel.dll or provides its own implementation. In Xwall (an austrian spam filter product), PFS is apparently implemented independently of the underlying OS, or so it seems from the single line of "documentation" about the feature. That's why I thought MailEnable might have its own implementation too. But it's okay for me if it uses whatever the OS provides through schannel.dll.

Im Moment erscheint es mir sinnvoller, hier das Thema "PFS mit SMTP" zu hinterfragen. Andere Mailserver koennen es ja auch und ich haette es gerne implementiert, habe aber nicht wirklich Lust, unser ME von WS2003 auf WS2012 umzustellen, nur um dann herauszufinden, dass es so doch nicht klappt, weil MailEnable die schannel.dll fuer SMTP gar nicht benutzt.
--
regards, Thomas Giger

Seppy
Posts: 31
Joined: Thu Apr 12, 2007 9:07 am

Re: Perfect Forward Secrecy (PFS) support ?

Post by Seppy »

Ich hatte das selbe Problem wie du, erst als ich den IIS umgestellt hab ging auch der PFS check Erfolgreich durch.

Es funktioniert also. ;-)

Post Reply