none
POP3 with TLS 1.1 or TLS 1.2 RRS feed

  • Question

  • I have a front end load balancer to a backend Exchange 2010 CAS Server running POP. I need to disable SSL 3.0 and TLS 1.0 and only use TLS 1.1 and TLS 1.2 for obvious reasons. I am able to disable SSL 3.0 and can still access pop via Outlook and mobile devices but when I disable TLS 1.0 I get an SSL handshake failure when trying to authenitcate to POP.

    What's the solution? Also an official KB article on this subject is requested.

    Currently on the front end from external connections to the load balancer I can support TLS 1.0, TLS 1.1 and TLS 1.2 but the load balancer does not give me the ability to enable TLS 1.1 or TLS 1.2 from the load balancer to the Exchange CAS server. In essence I can't have end to end TLS 1.1 or TLS 1.2 with the current version of the load balancer but I'm need TLS 1.1 and TLS 1.2 from client devices to load balancer then TLS 1.0 or SSL 3.0 from the load balancer to the CAS server.

    How do I configure pop3 to accept TLS 1.1 or 1.2 on the front end from clients?

    Friday, May 15, 2015 10:52 PM

Answers

  • Hi,

    What’s your Windows server version for Exchange server? TLS 1.1 and TLS 1.2 are enabled in Windows Server 2008 R2 and Windows 7 later version.

    Please check whether TLS 1.1 and TLS 1.2 are listed under the following registry key:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols

    Please locate the path for these keys and check whether the TLS 1.1 and TLS 1.2 are listed there. If there is, please enable it with a value of 1. If there is no key for TLS 1.1 and TLS 1.2, please do the following to enable it:

    1. Add the following keys:

    TLS 1.1 and TLS 1.2

    2. Within each of the TLS 1.1 and TLS 1.2 keys (they look like folders), add these keys: Client and Server.

    3. On the client computer, add the DisabledByDefault DWORD value to 00000000.

    4. On the server computer, add the Enabled DWORD value to 0xffffffff.

    5.Restart the computer.

    Additionally, please run the following command to check the POP settings in Exchange server:

    Get-PopSettings | FL

    Please refer to the UnencryptedOrTLSBindings value and X509CertificateName to configure the POP connection in Outlook side.

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Tuesday, May 19, 2015 7:19 AM
    Moderator

All replies

  • Hi,

    What’s your Windows server version for Exchange server? TLS 1.1 and TLS 1.2 are enabled in Windows Server 2008 R2 and Windows 7 later version.

    Please check whether TLS 1.1 and TLS 1.2 are listed under the following registry key:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols

    Please locate the path for these keys and check whether the TLS 1.1 and TLS 1.2 are listed there. If there is, please enable it with a value of 1. If there is no key for TLS 1.1 and TLS 1.2, please do the following to enable it:

    1. Add the following keys:

    TLS 1.1 and TLS 1.2

    2. Within each of the TLS 1.1 and TLS 1.2 keys (they look like folders), add these keys: Client and Server.

    3. On the client computer, add the DisabledByDefault DWORD value to 00000000.

    4. On the server computer, add the Enabled DWORD value to 0xffffffff.

    5.Restart the computer.

    Additionally, please run the following command to check the POP settings in Exchange server:

    Get-PopSettings | FL

    Please refer to the UnencryptedOrTLSBindings value and X509CertificateName to configure the POP connection in Outlook side.

    Regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Winnie Liang
    TechNet Community Support

    Tuesday, May 19, 2015 7:19 AM
    Moderator
  • Here are the pop settings.

    UnencryptedOrTLSBindings          : {:::110, 0.0.0.0:110}
    SSLBindings                       : {:::995, 0.0.0.0:995}

    Tuesday, June 2, 2015 7:14 PM