[FQuest Alert] Removal of DES/3DES Encryption Support

**Bob** · 11-28-2016, 11:14 AM

Who: All FutureQuest email users (Apple users in Particular)
What: Secure mail server configuration change, Removal of DES/3DES Encryption and TLS 1.0 Support.
Date: Dec 6, 2016

Due to a recently discovered vulnerability (CVE-2016-2183 AKA "Sweet 32") we will need to disable all 64-bit block ciphers in our email servers. Specifically, this means ending support for the DES and 3DES ciphers.

Since an attacker needs to capture a large amount of traffic (at least 785GB) to recover some data from a connection, we had initially regarded this as a low priority (as did the OpenSSL team themselves). However, security scanners (notably TrustWave PCI Compliance) are now beginning to penalize sites for having these ciphers available on any port that has TLS enabled.

As such, we will be disabling all the ciphers using DES and 3DES for all the mail protocols on the above date. As this ends up affecting the same email client software as removing TLS 1.0 support we are also disabling TLS 1.0 support as well.

We understand this will cause problems with some older mail clients, as well as newer software on most Apple computers. Essentially the same email clients that were affected by the TLS issue, as noted here, will also be affected by this.

To assist with the transition, we have set up a special proxy at legacy-tls.futurequest.net that is configured to allow these old protocols. You will need to configure your mail software to use the full mailbox name as the username (ie "somebody@example.com"), but otherwise they work the same as the existing mail servers.

For those affected, as noted above, you will need to make a change in the POP and SMTP Server set in your respective Email Client to:
POP Server: legacy-tls.futurequest.net
Port: 995

SMTP Server: legacy-tls.futurequest.net
Port: 465

IMAP: legacy-tls.futurequest.net
Port: 993

You will also need to ensure the Username for POP, SMTP and IMAP is set as your Full Email Address, ie... username@yourdomain.com

You can make these changes immediately if you believe your email client will be affected.

Also note that since this will require changes in your Email Client settings most email clients will prompt you to re-enter your password so make sure you have that on hand when making the change. If you don't remember your email password you can reset it from your CNC Email Manager.
https://Service.FutureQuest.net/kba65

Now for the Plus side of this, for those of you whose email clients continue to present a "Certificate Mismatch" warning when you access your mail, using the special proxy legacy-tls.futurequest.net, will remove the "Certificate Mismatch" issue.

In addition to this Community Forums Post we will also be sending an Email Notice to all Primary, Secondary and Technical Contacts with the above information.

In a separate, but related issue, for sites that require PCI Compliance we have also made TLS 1.0 and DES/3DES support optional for HTTPS (port 443) sites. This will allow site owners with HTTPS certificates to choose between better network encryption to satisfy PCI requirements or better browser compatibility when PCI certification is not an issue.

This will soon be an option in the CNC but until that has been finished anyone wanting to disable TLS 1.0 and DES/3DES on their HTTPS site should contact us at the Service desk and request DES/DES3 disabling, Service@FutureQuest.net

We will expand on this feature in a separate Community Forums post later when the CNC addition is ready.

Thanks,
The FutureQuest Team

Update: 1:00 PM ET Dec 6, 2016 DES/3DES and TLS 1.0 Support hase been removed from the Mail Services

*artemis* · 11-28-2016, 03:57 PM

Ok, Thanks, I think

Since I don't fully understand this, I have a couple questions that may not be real smart, but...

I do not remember having any issues in Sept but ...

It sounds like I need to contact all my clients with fq hosting who use domain email on their iphones (assuming they use mail) and have them change their configuration -- is that correct?

In my own case, I use an older version of Outlook (2007) which I know you can't support individual email clients so that is just fyi, it's set for ports 995 and 465 for SSL (not TLS) however I do get that mismatch error, as do most of my people who pull pop mail with a client -- is this the type of configuration that is going to need to change? If someone gets the mismatch error is that an indicator that their config. needs to be updated before Dec 6th?

And last, is this going to affect Contribute? -- do you know? Can I test it now if I ask you to turn off TLS on a https domain?

Thanks, the Grasshopper

**Bob** · 11-28-2016, 04:11 PM

Hello,

Quote:

If someone gets the mismatch error is that an indicator that their config. needs to be updated before Dec 6th?

No that doesn't indicate a possible issue with TLS 1.0 being disabled...

As far as we are aware all Apple Email Clients are affected and would need to change their email configurations to use legacy-tls.futurequest.net as their POP, SMTP and/or IMAP mail server.

There is a good chance that Outlook 2007 would also be affected.

If someone is using an Apple platform and web based email, ie... http://QuestMail.FutureQuest.net they would not be affected.

There is no way I am aware of to test beforehand if disabling TLS 1.0 will affect their mail client.

The issue with disabling TLS 1.0 and DES/DES3 for web access should not have any effect on how you create your web site, it would only affect those attempting to access your site and unless you have PCI compliance issues we are not recommending disabling TLS 1.0 for your web site at this time.

-Bob

*jestaguy* · 11-28-2016, 05:51 PM

Hi Bob,
I'm trying the new settings on my iphone, as IMAP on port 993 as instructed above, using Apple's stock email client. However I'm getting a "the mail server is not responding" error. I didn't seem to get an error on the outgoing.

*update*
I just tried a test in Outlook (Office 365), Windows 10, and I get an error on the outgoing, but can receive incoming. Set as POP.

*update 2*
It appears incoming email on the iphone works, but sending does not. Same for Outlook (though I'm guessing the current Outlook won't be affected by the change so I could leave the original settings intact.)

Any thoughts?
Thanks!

**Bruce** · 11-28-2016, 06:35 PM

Quote:

Originally Posted by jestaguy

I'm trying the new settings on my iphone, as IMAP on port 993 as instructed above, using Apple's stock email client. However I'm getting a "the mail server is not responding" error. I didn't seem to get an error on the outgoing.

There was a typo in the initial connection banner the new IMAP proxy software we put in place to support this service. I have corrected the typo and verified the proxy now outputs the right kind of banner. Please try IMAPS again.

*andyrew* · 11-28-2016, 09:20 PM

Just a note to those (such as I) who own--and use--an iPhone with the latest iOS/desktop with ElCap/Lap w/Sierra, and fully inhabit the 'Apple' ecosystem:

Initially, I heeded the recommendation from Bob (via an email I received through my iOS device) to attend to the situation at-hand.

I decided to switch-over to using legacy-tls.futurequest.net, and was faced with a particular complication...

...the entirety of the email received via IMAPS viewed in "All Inboxes" had a date of "Something, 1969", with no content.

<aside>I am in the process of buying a house, and the loss of current dialogue--frankly--floored me.</aside>

Further assessment proved that I could view all my emails correctly in their respective accounts, but--having become accustomed to having everything concatenated in one, unified "inbox"--the loss of such was troublesome, to say the least.. Angst ensued.

Basically, I freaked (of course), and switched-back to the settings of yester, only to be greeted with the same results ;/

gah!

<sober>What does one do in such circumstance</sober> ?

I switched-back.

Lo (and behold), all my emails re-asserted themselves in their proper order--and in their proper format--right before my eyes.

I've placed my trust in the security and sanctity of FQ to provide me with Service since 2003, and there has never been a lapse in my judgement; nor have my expectations ever, ever been let-down.

Just wanted to reply, and offer feedback on how these odd--and awkward--series of events impact a Member and User of FQ.

Regards, andyrew

hth

*jestaguy* · 11-28-2016, 09:37 PM

My messages disappeared as well (pop account). Andyrew, are you saying you found a way to have them appear with the new server settings?

Bruce / Bob, any thoughts on how to preserve the messages? My wife might murder me if this happens on her iMac. Thanks!

**Kevin** · 11-28-2016, 09:47 PM

When you are losing messages, did you delete the account from your email client then add a new account or did you just modify the server settings on the existing account? If you were using POP then your email was probably only on your system. If you were using IMAP then the new should be identical to the old even if you deleted the account.

*jestaguy* · 11-28-2016, 09:58 PM

Hey Kevin,
For the account, I just updated the server info rather than deleting anything. The missing messages seems to be a pop issue. My guess is apple is treating different server locations as different buckets of data. Once the server changes, the messages associated with that "setting" disappear. IMAP (which I use for some other accounts on FQ) seems to be ok.

*artemis* · 11-29-2016, 02:10 AM

Thanks Bob and All,

Ok, I'll go through my list. I was thinking of trying to find time to prep for January billings early anyhow. This will affect only a few but enough to make life interesting. Getting rid of the security mismatch will be a silver lining. I think I'll wait a day or two to test it myself though given the talk here of missing messages.