Who: All FutureQuest email users (Apple users in Particular)
What: Secure mail server configuration change, Removal of DES/3DES Encryption and TLS 1.0 Support.
Date: Dec 6, 2016
Due to a recently discovered vulnerability (
CVE-2016-2183 AKA "
Sweet 32") we will need to disable all 64-bit block ciphers in our email servers. Specifically, this means ending support for the DES and 3DES ciphers.
Since an attacker needs to capture a large amount of traffic (at least 785GB) to recover some data from a connection, we had initially regarded this as a low priority (as did the OpenSSL team themselves). However, security scanners (notably TrustWave PCI Compliance) are now beginning to penalize sites for having these ciphers available on any port that has TLS enabled.
As such, we will be disabling all the ciphers using DES and 3DES for all the mail protocols on the above date. As this ends up affecting the same email client software
as removing TLS 1.0 support we are also disabling TLS 1.0 support as well.
We understand this will cause problems with some older mail clients, as well as newer software on most Apple computers. Essentially the same email clients that were affected by the TLS issue,
as noted here, will also be affected by this.
To assist with the transition, we have set up a special proxy at
legacy-tls.futurequest.net that is configured to allow these old protocols. You will need to configure your mail software to use the full mailbox name as the username (ie "somebody@example.com"), but otherwise they work the same as the existing mail servers.
For those affected, as noted above, you will need to make a change in the POP and SMTP Server set in your respective Email Client to:
POP Server:
legacy-tls.futurequest.net
Port: 995
SMTP Server:
legacy-tls.futurequest.net
Port: 465
IMAP:
legacy-tls.futurequest.net
Port: 993
You will also need to ensure the Username for POP, SMTP and IMAP is set as your Full Email Address, ie...
username@yourdomain.com

You can make these changes immediately if you believe your email client will be affected.
Also note that since this will require changes in your Email Client settings most email clients will prompt you to re-enter your password so make sure you have that on hand when making the change. If you don't remember your email password you can reset it from your CNC Email Manager.
https://Service.FutureQuest.net/kba65
Now for the Plus side of this, for those of you whose email clients continue to present a "Certificate Mismatch" warning when you access your mail, using the special proxy
legacy-tls.futurequest.net, will remove the "Certificate Mismatch" issue.
In addition to this Community Forums Post we will also be sending an Email Notice to all Primary, Secondary and Technical Contacts with the above information.
In a separate, but related issue, for sites that require PCI Compliance we have also made TLS 1.0 and DES/3DES support optional for HTTPS (port 443) sites. This will allow site owners with HTTPS certificates to choose between better network encryption to satisfy PCI requirements or better browser compatibility when PCI certification is not an issue.
This will soon be an option in the CNC but until that has been finished anyone wanting to disable TLS 1.0 and DES/3DES on their HTTPS site should contact us at the Service desk and request DES/DES3 disabling,
Service@FutureQuest.net
We will expand on this feature in a separate Community Forums post later when the CNC addition is ready.
Thanks,
The FutureQuest Team
Update: 1:00 PM ET Dec 6, 2016 DES/3DES and TLS 1.0 Support hase been removed from the Mail Services