John's Blog: Secure Mail Failure

July 14, 2017

Since Rumpus 8.1.7 came out, with improved support for advanced SSL cipher suites, a few people have asked this question:

In Rumpus 8.1.7 and later, why is Rumpus unable to send mail securely via my SMTP server? When I run the test in the control application, the mail is sent, but when someone uploads a file, the notice attempt results in a connection error to the SMTP server. Why, and what can I do to correct this?

The issue has to do with the "SSL/TLS Security Level", which I described in detail in this article. The SSL/TLS Security Level applies primarily to Web browsers and FTP clients connecting to your server, but the same security restrictions also apply when Rumpus acts as an SMTP mail client, sending mail to your mail server. So, if your mail server is older and doesn't support modern TLS cipher suites, and you've set Rumpus to only allow modern cipher suites, Rumpus won't be able to send mail.

In theory, it would be technically possible to have Rumpus require strict cipher suites for HTTP and FTP access, but then send mail using older ciphers. Unfortunately, this would represent a significant security risk that would undermine the whole point of the "SSL/TLS Security Level" option. If your server security requirements are such that files can only be transferred via strong cryptography, then information about those transfers (such as file information commonly included in Event Notices) must be guarded using those same requirements.

So, if you have this problem, there are 3 possible solutions:

Update Your Mail Server

The best option is to update the mail server so that it supports modern SSL/TLS security protocols. In fact, in a secure environment, this is really the only option, because e-mail is every bit as susceptible to attack (probably more so) than Web traffic, and should be secured accordingly.

Reduce the "SSL/TLS Security Level" in Rumpus

Depending on your security requirements, reducing the security level in Rumpus so that it can connect to older Web browsers, FTP clients and mail servers may not be a big problem. Clients will still use the best, most secure ciphers available for each session, it's just that Rumpus will also allow certain older ciphers to be used when those are the only protocols supported by the software Rumpus is talking to. See the SSL/TLS Security Level article for details.

Disable Secure Mail Connections

In some cases, encrypting mail connections may not be necessary at all. For example, if the Rumpus server and the mail server are on the same computer, or on the same local network, the e-mail isn't being sent over the public Internet, anyway. Assuming your local network is secure, the sessions may not need to be encrypted in the first place. Disabling the "Use TLS (Secure Mail)" option in Rumpus is acceptable in these cases, especially considering the fact that the older mail server may potentially be compromised due to it's reliance on older SSL cipher suites.

As always, if you have questions or need more detail, contact me at support@maxum.com.

© Copyright 2018, Maxum Development Corp.