How to setup secure SSL, TLS v1.2 on your server

This is a guide to setting up secure SSL, TLS v1.2 email on your server to allow you to send and receive over encrypted channels using TLS v1.2

By default Hexamail automatically supports all cipher suites for schannel configured within Windows. Som eversions of Windows do not by default support TLS v1.2 You can find out more about Windows versions cipher suites here

Checking for TLS v1.2 support

First you need to check if your server already supports TLS v1.2. To do this use the command line openssl app available here

openssl s_client localhost:465

This should connect and report the version of TLS supported:
SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 301B0000DA0389905092C8B31036ECBC8A8511F5518AA0761A787D35F03CAC4E Session-ID-ctx: Master-Key: 1B9EB7B4FB97863FB70D81143F25D28DF7850FA336813DBD904B2B314E2EA246 DA24D285D3AC2D67B854A954E6349C05 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1533119079 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes ---

If it cannot connect check you have enabled SSL in your Hexamail Admin/SMTP Server/Network settings, and have installed and selected an appropriate certificate as per the guide to setting up ssl
If it does connect but does not show TLSv1.2 then you may need to enable TLS on your Windows server as per the following section

Setting up TLSv1.2 support under Windows

Windows 7 supports TLS 1.1 and TLS 1.2. However, these protocol versions are not enabled on Windows 7, Windows Server 2008 R2 by default. On Windows 8 and higher, these protocols are enabled by default.

To enable TLS 1.1. and TLS 1.2 on Windows 7, Import the following registry keys:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
Alternatively download and double click the following file: enabletls12.reg

Next recheck your TLS setup:

openssl s_client localhost:465 -tls1_2

This should connect and report the version of TLS supported:
SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 301B0000DA0389905092C8B31036ECBC8A8511F5518AA0761A787D35F03CAC4E Session-ID-ctx: Master-Key: 1B9EB7B4FB97863FB70D81143F25D28DF7850FA336813DBD904B2B314E2EA246 DA24D285D3AC2D67B854A954E6349C05 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1533119079 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes ---

References: http://support.microsoft.com/kb/245030