Disabling weak SSL protocols and ciphers

MDaemon relies upon Windows to provide SSL services. This includes modern SSL versions as well as some older, less secure protocols and cyphers. You can modify the Windows registry to increase the security of your SSL implementation, at the cost that very old clients may have issues.

To disable protocols PCT1 and SSL2.0, use the Disable-PCT-1.0-SSL-2.0-and-weak-ciphers.reg file available in RAR or ZIP format. Note that the RAR has an authenticity verification signature, signed by Dave Warren and should not be used if this signature is missing.

The contents of the .REG are located below, be aware that some word-wrap issues might occur. Please use the RAR or ZIP downloads above.

To disable PCT 1.0 and SSL 2.0:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

And to remove weak ciphers:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]

Please be sure to create a full backup of your system before proceeding, modifying the Windows Registry can be dangerous and can result in unexpected behaviours.

Cheap SSL Certificates

I often see discussions about where to get reasonably priced SSL certificates, and so I’d like to share my source.

For some time I’ve been using a RapidSSL reseller called “RapidSSL Online

Unlike much of the competition, their prices start at $14.95USD/year, offering 128 / 256 bit single root SSL certificate.

I have no affiliation with them beyond being a satisfied customer, and I receive no compensation for this referral, I simply detest some of the larger players charging substantially more for what is ultimate the same thing.

MultiPOP and Gmail

MDaemon has a feature called MultiPOP which, when enabled, will cause MDaemon to download all messages from one or more POP3 accounts and deliver them directly to a MDaemon user’s mailbox.

The dialog has simple hostname, username, password fields, plus options to leave mail on server or not. What isn’t obvious is how to support hosts like Gmail, which require SSL. As it turns out, MDaemon actually does support Gmail, and other SSL enabled POP3 hosts.

There are a number of ways to access the MultiPOP configuration for an account, through MDaemon’s account editor, through WorldClient or WebAdmin (both web options only being available if the user is allowed to use MultiPOP).

To set up MultiPOP to pull mail from a POP3 account which requires SSL, open the MultiPOP dialog, enter the hostname or POP3 server name followed by :995

:995 tells MDaemon to use port 995, and MDaemon automatically switches to SSL mode since SSL is required for port 995.

For Gmail, enter the hostname “pop.gmail.com:995”, the username which must include the @domain portion. For example, for [email protected], you need to enter the full d[email protected] address, not just “dave.warren”

For Gmail you should set MDaemon to delete mail from the server as Gmail doesn’t account honour this, instead Gmail allows you to control what happens to mail after it’s downloaded (Leave it in the Inbox, Archive it, Delete it)

Note that the instructions are the same for googlemail.com, and for other mailboxes hosted by Google, just use the appropriate email address in the username field.

One other thing to be aware of with Gmail in particular, Gmail doesn’t automatically enable POP3 access, you need to enable it by logging in to Gmail, going to Settings, then to the POP section and setting the appropriate option. If you choose to download all mail, Gmail only offers a few hundred messages at once, so if you are intending to download a massive Gmail mailbox into MDaemon, MDaemon will take some time as messages are downloaded in blocks of about 500 messages at a time.

UPDATE (2008/10/02): One other thing I forgot to mention, MDaemon must have SSL enabled. To enable SSL in MDaemon 10, go to the Security menu, choose Security, then go to “SSL & TLS” and enable the “Enable SSL…” option.

UPDATE (2011/11/10): This functionality was added to MDaemon in 9.6.3, described in the release notes as “[4037] DomainPOP and MultiPOP use TLS/SSL when connecting to port 995”, earlier versions of MDaemon can use stunnel as a workaround or upgrade to a current version.