By default, Mail Express allows initial connections from clients using the SSLv2, SSLv3, or TLSv1 protocols in an effort to support a wider variety of browsers. If higher security is desirable, then the allowed SSL protocols may be locked down to TLSv1 only; however, some clients, including Internet Explorer, may be unable to connect in some situations. Refer to Internet Explorer and High Security Settings below for more information on known issues.
To modify the server to only allow TLSv1 negotiations
In a text editor, such as Notepad, open server.xml (e.g., C:\Program Files\Globalscape\Mail Express\conf\server.xml).
Update the HTTPS Port configuration:
Locate the Connector that defines the default port listener. This Connector may be found by searching for the following text:
port="8443"
Within the Connector definition, change:
SSLProtocol="all"
to
SSLProtocol=”TLSv1”
Update the DMZ Gateway Protocol Handler configuration, if this feature is being used:
Locate the Connector that defines the DMZ Gateway Protocol Handler. This Connector may be found by searching for the text protocol="com.globalscape.protocolhandler.DMZProtocolHandler"
Within the Connector definition, change:
sslProtocols="SSLv2Hello,SSLv3,TLSv1"
to
sslProtocols="TLSv1"
Save the changes.
Restart the Mail Express Server service. (e.g., Start > Run > services.msc)
Internet Explorer and High Security Settings
When using the high security settings for the SSLProtocol and SSLCipher configuration items, you may sometimes encounter connection issues when connecting with Internet Explorer. Typically you will see a page similar to the following when connecting:
If this occurs, it may be due to the SSL 2.0 protocol being enabled in Internet Explorer. When this option is enabled, Internet Explorer will initially attempt to connect to the server using an SSLv2-format message. When using high security settings, the SSLv2 protocol is disabled which results in the server not responding to the request. The issue may be resolved on the client side, by modifying Internet Explorer configuration, or on the Server side by not using the high security settings. Each resolution is detailed below.
Alternative 1: Modify Client Configuration
Disable SSL 2.0 support within the Internet Explorer options
In Internet Explorer, click Tools > Internet Options. The Internet Options dialog box appears.
Click on the Advanced tab, then scroll down to the Security section.
Clear the Use SSL 2.0 check box.
Select the Use TLS 1.0 check box.
Click Apply to save the changes, then attempt to connect to the server.
Alternative 2: Modify Server Configuration
If you do not want to modify each user's Internet Explorer settings, you can modify the Mail Express Server configuration to enable the SSLv2 protocol. This is considered less secure, but provides greater compatibility with browsers. Note that with this solution the SSLv2, SSLv3, and TLSv1 protocols will be enabled rather than only TLSv1. However, the supported cipher algorithms will be locked down to SSLv3 and TLSv1 algorithms only. This allows browsers to connect using the SSLv2 protocol, but then negotiate the use of the SSLv3 or TLSv1 protocols and ciphers only.
To enable the SSLv2 protocol
In a text editor, such as Notepad, edit the following settings in server.xml (e.g., C:\Program Files\Globalscape\Mail Express\conf\server.xml):
Update the HTTPS Port configuration:
Locate the Connector that defines the default port listener. This Connector may be found by searching for the text port="8443"
Within the Connector definition, change:
SSLProtocol="TLSv1"
to
SSLProtocol="all"
Update the DMZ Gateway Protocol Handler configuration, if this feature is being used:
Locate the Connector that defines the DMZ Gateway Protocol Handler. This Connector may be found by searching for the text protocol="com.globalscape.protocolhandler.DMZProtocolHandler"
Within the Connector definition, change:
sslProtocols="TLsv1"
to
sslProtocols=" SSLv2Hello,SSLv3,TLSv1"
Save the changes.
Restart the Mail Express Server service. (e.g., Start > Run > services.msc)