Xtra Mail Security Protocols are changing

Forums › Spark New Zealand (including Skinny and BigPipe) › Xtra Mail Security Protocols are changing

wratterus

1687 posts

Uber Geek
+1 received by user: 678

#304013 28-Mar-2023 15:27

Anyone else receive an email from Spark noting they are changing to TLS encryption on Xtra mail accounts from May 1? And outgoing port changing to 587. Can't see any mention on their site about this yet.

tdgeek

30048 posts

Uber Geek
+1 received by user: 9455

Trusted

Lifetime subscriber

#3055857 28-Mar-2023 15:29

Its removing SSL not adding TLS.

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1859

#3055916 28-Mar-2023 17:20

tdgeek:

Its removing SSL not adding TLS.

It looks like they're moving from port 465 (SMTPS) to 587 (STARTTLS), so there is a bit more involved than just disabling older SSL/TLS revisions which >99% of users likely wouldn't notice. While most users users probably just need to change the port, some e-mail clients may need to be explicitly told to switch to STARTTLS as well. Blat also won't work... oh well, there is better software out there.

I'm getting lots of requests from users of my software asking if I support TLS 1.2. Seems to be a lot of providers are switching off SSL support at the present time on 587, where it makes sense to protect user credentials. It doesn't really make sense to turn it off on port 25 given e-mail must be accepted by an MX host without encryption... SSL is better than nothing if it's the best you can negotiate.

tdgeek

30048 posts

Uber Geek
+1 received by user: 9455

Trusted

Lifetime subscriber

#3055925 28-Mar-2023 18:00

SirHumphreyAppleby:

It looks like they're moving from port 465 (SMTPS) to 587 (STARTTLS), so there is a bit more involved than just disabling older SSL/TLS revisions which >99% of users likely wouldn't notice. While most users users probably just need to change the port, some e-mail clients may need to be explicitly told to switch to STARTTLS as well. Blat also won't work... oh well, there is better software out there.

I'm getting lots of requests from users of my software asking if I support TLS 1.2. Seems to be a lot of providers are switching off SSL support at the present time on 587, where it makes sense to protect user credentials. It doesn't really make sense to turn it off on port 25 given e-mail must be accepted by an MX host without encryption... SSL is better than nothing if it's the best you can negotiate.

AFAIK if the client is current, and the settings are SSL Port 465, the client will sort it out. If the client or device is old, that may mean a software update, manually update settings to TLS or get a modern device.

cheshirecat

50 posts

Geek
+1 received by user: 18

#3056628 30-Mar-2023 16:31

What's going on here is that older, vulnerable protocols (such as SSLv3) are being retired, but you can continue to use TLS1.1 and TLS1.2 for encryption.

In addition, some of the less secure ciphers (3DES, RC4, RSA) are being removed from the ciphersuite. This is only likely to affect people still using WinXP or Win7 as those system SSL libraries don't always have support for the more modern ciphers. Spark are trying to balance between removing the older, less secure ciphers vs. keeping compatibility with as many customers' software as they can.

In you have linux, install nmap and use these commands to see which ciphers and protocols are being advertised, and how good they are:

nmap -Pn --script ssl-enum-ciphers -p 465 send.xtra.co.nz

nmap -Pn --script ssl-enum-ciphers -p 993 imap.xtra.co.nz

You can also go to this site which will check any SSL endpoint to see how strict their ciphers are https://www.immuniweb.com/ssl/

The change of outgoing (submission) port from 465 to 587 is changing from using raw SSL to using STARTTLS. As far as security is concerned, there's no difference as they both use TLS, but using STARTTLS rather than raw SSL is now considered best practice. I suspect both ports will remain available for some time anyway, though using 587+STARTTLS will be the recommended one.

FineWine

3111 posts

Uber Geek
+1 received by user: 2440

Trusted

Nurse (R)

Lifetime subscriber

#3056689 30-Mar-2023 17:31

How will this affect macOS Apple Mail users?

I am currently using Mail 13.4 on macOS 10.15.7 and can not upgrade any further due to the age of my machine.

All 5 of my Mail POP addresses are set to Port 465 with TLS/SSL ticked though "Automatically manage connection settings" is also Ticked.

Whilst the difficult we can do immediately, the impossible takes a bit longer. However, miracles you will have to wait for.

tdgeek

30048 posts

Uber Geek
+1 received by user: 9455

Trusted

Lifetime subscriber

#3056748 30-Mar-2023 18:33

FineWine:

How will this affect macOS Apple Mail users?

I am currently using Mail 13.4 on macOS 10.15.7 and can not upgrade any further due to the age of my machine.

All 5 of my Mail POP addresses are set to Port 465 with TLS/SSL ticked though "Automatically manage connection settings" is also Ticked.

From what I know the client will sort it out. If a user had an OLD system that cannot manage TLS then it will fail

I just looked at my Mail app on MacBookPro 2013, it will Manage the settings. So, despite me being on IMAP but with smtp Port 465, it will manage it, which will be Port 587/TLS

Same with my iPhone. Just has an SSL setting, it will manage it. As long as the device supports TLS, it will manage it. IIRC a colleague advised that email SSL was phased out 2015. This means that while SSL email is OLD, its supported. In this thread, SSL support will end, but if you have an non super old system it already has TLS support so it will figure it out

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

FineWine

3111 posts

Uber Geek
+1 received by user: 2440

Trusted

Nurse (R)

Lifetime subscriber

#3056802 30-Mar-2023 18:55

tdgeek:

FineWine:

How will this affect macOS Apple Mail users?

I am currently using Mail 13.4 on macOS 10.15.7 and can not upgrade any further due to the age of my machine.

All 5 of my Mail POP addresses are set to Port 465 with TLS/SSL ticked though "Automatically manage connection settings" is also Ticked.

From what I know the client will sort it out. If a user had an OLD system that cannot manage TLS then it will fail

I just looked at my Mail app on MacBookPro 2013, it will Manage the settings. So, despite me being on IMAP but with smtp Port 465, it will manage it, which will be Port 587/TLS

Same with my iPhone. Just has an SSL setting, it will manage it. As long as the device supports TLS, it will manage it. IIRC a colleague advised that email SSL was phased out 2015. This means that while SSL email is OLD, its supported. In this thread, SSL support will end, but if you have an non super old system it already has TLS support so it will figure it out

thx for all of that 😀

Whilst the difficult we can do immediately, the impossible takes a bit longer. However, miracles you will have to wait for.