Enhancing SSL Security
+++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++ DRAFT +++
While setup and configuration of MailStore SPE is just a matter of minutes when sticking to the defaults, additional actions can be taken to enhance the overall security of MailStore Service Provider Edition. These are explained in the following sections.
Harding SSL
Harding SSL consist of mainly of disabling insecure ciphers and hashes as well as prioritize cipher suites that allow the use of Perfect Forward Secrecy.
As all components of the MailStore Service Provider Edition rely on the Windows' security support provider (SSP) called Secure Channel (also known as Schannel), a number of registry keys have to be created or modified to disable insecure ciphers and hashes. Although Microsoft's Technet article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll describes in detail which registry keys are responsible for the security provider settings, it is not recommended to manually change these keys. A safer way to adjust the Schannel settings for server applications is Nartac Software's IIS Crypto tool.
Recommended Settings
The highest level of security can be achieved with the following settings in IIS Crypto. Be aware that this will prevent Windows XP clients from connecting. If support for Windows XP is mandatory, use the Best Practice template of IIS Crypto which re-enables some weaker ciphers.
| Protocols Enabled | TLS 1.0 TLS 1.1 TLS 1.2 |
| Ciphers Enabled | AES 128/128 AES 256/256 |
| Hashes Enabled | SHA |
| Key Exchange Enabled | Diffie-Hellman PKCS |
| SSL Cipher Suite Order | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 |
