POP3 with TLS 1.1 or TLS 1.2

I have a front end load balancer to a backend Exchange 2010 CAS Server running POP. I need to disable SSL 3.0 and TLS 1.0 and only use TLS 1.1 and TLS 1.2 for obvious reasons. I am able to disable SSL 3.0 and can still access pop via Outlook and mobile devices but when I disable TLS 1.0 I get an SSL handshake failure when trying to authenitcate to POP.

What's the solution? Also an official KB article on this subject is requested.

Currently on the front end from external connections to the load balancer I can support TLS 1.0, TLS 1.1 and TLS 1.2 but the load balancer does not give me the ability to enable TLS 1.1 or TLS 1.2 from the load balancer to the Exchange CAS server. In essence I can't have end to end TLS 1.1 or TLS 1.2 with the current version of the load balancer but I'm need TLS 1.1 and TLS 1.2 from client devices to load balancer then TLS 1.0 or SSL 3.0 from the load balancer to the CAS server.

How do I configure pop3 to accept TLS 1.1 or 1.2 on the front end from clients?

May 15th, 2015 6:55pm

Hi,

Whats your Windows server version for Exchange server? TLS 1.1 and TLS 1.2 are enabled in Windows Server 2008 R2 and Windows 7 later version.

Please check whether TLS 1.1 and TLS 1.2 are listed under the following registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols

Please locate the path for these keys and check whether the TLS 1.1 and TLS 1.2 are listed there. If there is, please enable it with a value of 1. If there is no key for TLS 1.1 and TLS 1.2, please do the following to enable it:

1. Add the following keys:

TLS 1.1 and TLS 1.2

2. Within each of the TLS 1.1 and TLS 1.2 keys (they look like folders), add these keys: Client and Server.

3. On the client computer, add the DisabledByDefault DWORD value to 00000000.

4. On the server computer, add the Enabled DWORD value to 0xffffffff.

5.Restart the computer.

Additionally, please run the following command to check the POP settings in Exchange server:

Get-PopSettings | FL

Please refer to the UnencryptedOrTLSBindings value and X509CertificateName to configure the POP connection in Outlook side.

Regards,

Free Windows Admin Tool Kit Click here and download it now
May 19th, 2015 3:21am

Here are the pop settings.

UnencryptedOrTLSBindings          : {:::110, 0.0.0.0:110}
SSLBindings                       : {:::995, 0.0.0.0:995}

June 2nd, 2015 3:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics