Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

What crypto suites does Email Security offer (Strong, Normal, Weak) when TLS over SMTP is enabled?

12/20/2019 1,048 People found this article helpful 194,584 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    What crypto suite options does Email Security offer (Strong, Normal, Weak) when TLS over SMTP is enabled?

    Resolution

    Perfect Forward Secrecy (PFS) is an added layer of privacy that guaranties that the encryption keys used in a TLS conversation are completely unique. Without PFS, an attacker who successfully steals a mail server's private keys can potentially decrypt intercepted conversations. PFS ensures that no amount of information from the server or from previous conversations can be used towards breaking any future conversations.
    The Web UI allows one of three levels of encryption strength:
    • Strong: Ciphers, in order of preference, are the American AES (128 bits or more), Japanese Camellia (128 bits or more), and American Triple-DES (156). No stream ciphers are supported. The MD5 hash function is not allowed in either certificates or the HMAC. This setting is not the default since it will not interoperate with Exchange 2003 or with sites that decided to stop using block ciphers in order to counter the BEAST TLS attack.
    • Normal: In addition to the strong ciphers, supports the South Korean SEED (128 bits) and, for TLS v1.0 only, American RC4 (128 bits) ciphers. In addition, the MD5 hash is allowed in the HMAC.
    • Weak: In addition to all strong and medium ciphers, the 56-bit DES cipher is supported. With modern computers this is essentially clear-text.

    The OpenSSL Cipherstring selectors are:

    Strong

    HIGH:!MD5:!SSLv2:!aNULL:!eNULL:@STRENGTH

    Normal

    HIGH:MEDIUM:-3DES:!SSLv2:!aNULL:!eNULL:@STRENGTH:3DES

    Weak

    ALL:!EXPORT:!SSLv2:!aNULL:!eNULL:@STRENGTH

    In versions 8.3, the complete set of ciphers are:

    OpenSSL Cipherstring Name

    TLS

    Key Exchange

    Authenticator

    Cipher

    HMAC

    PFS?

    Strong

    ECDHE-RSA-AES256-GCM-SHA384

    v1.2

    ECDH

    RSA

    AESGCM(256)

    AEAD

    Yes

    ECDHE-ECDSA-AES256-GCM-SHA384

    v1.2

    ECDH

    ECDSA

    AESGCM(256)

    AEAD

    Yes

    ECDHE-RSA-AES256-SHA384

    v1.2

    ECDH

    RSA

    AES(256)

    SHA384

    Yes

    ECDHE-ECDSA-AES256-SHA384

    v1.2

    ECDH

    ECDSA

    AES(256)

    SHA384

    Yes

    ECDHE-RSA-AES256-SHA

    v1

    ECDH

    RSA

    AES(256)

    SHA1

    Yes

    ECDHE-ECDSA-AES256-SHA

    v1

    ECDH

    ECDSA

    AES(256)

    SHA1

    Yes

    ECDH-RSA-AES256-GCM-SHA384

    v1.2

    ECDH/RSA

    ECDH

    AESGCM(256)

    AEAD

    ECDH-ECDSA-AES256-GCM-SHA384

    v1.2

    ECDH/ECDSA

    ECDH

    AESGCM(256)

    AEAD

    ECDH-RSA-AES256-SHA384

    v1.2

    ECDH/RSA

    ECDH

    AES(256)

    SHA384

    ECDH-ECDSA-AES256-SHA384

    v1.2

    ECDH/ECDSA

    ECDH

    AES(256)

    SHA384

    ECDH-RSA-AES256-SHA

    v1

    ECDH/RSA

    ECDH

    AES(256)

    SHA1

    ECDH-ECDSA-AES256-SHA

    v1

    ECDH/ECDSA

    ECDH

    AES(256)

    SHA1

    AES256-GCM-SHA384

    v1.2

    RSA

    RSA

    AESGCM(256)

    AEAD

    AES256-SHA256

    v1.2

    RSA

    RSA

    AES(256)

    SHA256

    AES256-SHA

    v1

    RSA

    RSA

    AES(256)

    SHA1

    CAMELLIA256-SHA

    v1

    RSA

    RSA

    Camellia(256)

    SHA1

    ECDHE-RSA-AES128-GCM-SHA256

    v1.2

    ECDH

    RSA

    AESGCM(128)

    AEAD

    Yes

    ECDHE-ECDSA-AES128-GCM-SHA256

    v1.2

    ECDH

    ECDSA

    AESGCM(128)

    AEAD

    Yes

    ECDHE-RSA-AES128-SHA256

    v1.2

    ECDH

    RSA

    AES(128)

    SHA256

    Yes

    ECDHE-ECDSA-AES128-SHA256

    v1.2

    ECDH

    ECDSA

    AES(128)

    SHA256

    Yes

    ECDHE-RSA-AES128-SHA

    v1

    ECDH

    RSA

    AES(128)

    SHA1

    Yes

    ECDHE-ECDSA-AES128-SHA

    v1

    ECDH

    ECDSA

    AES(128)

    SHA1

    Yes

    ECDH-RSA-AES128-GCM-SHA256

    v1.2

    ECDH/RSA

    ECDH

    AESGCM(128)

    AEAD

    ECDH-ECDSA-AES128-GCM-SHA256

    v1.2

    ECDH/ECDSA

    ECDH

    AESGCM(128)

    AEAD

    ECDH-RSA-AES128-SHA256

    v1.2

    ECDH/RSA

    ECDH

    AES(128)

    SHA256

    ECDH-ECDSA-AES128-SHA256

    v1.2

    ECDH/ECDSA

    ECDH

    AES(128)

    SHA256

    ECDH-RSA-AES128-SHA

    v1

    ECDH/RSA

    ECDH

    AES(128)

    SHA1

    ECDH-ECDSA-AES128-SHA

    v1

    ECDH/ECDSA

    ECDH

    AES(128)

    SHA1

    AES128-GCM-SHA256

    v1.2

    RSA

    RSA

    AESGCM(128)

    AEAD

    AES128-SHA256

    v1.2

    RSA

    RSA

    AES(128)

    SHA256

    AES128-SHA

    v1

    RSA

    RSA

    AES(128)

    SHA1

    CAMELLIA128-SHA

    v1

    RSA

    RSA

    Camellia(128)

    SHA1

    ECDHE-RSA-DES-CBC3-SHA

    v1

    ECDH

    RSA

    3DES(168)

    SHA1

    Yes

    ECDHE-ECDSA-DES-CBC3-SHA

    v1

    ECDH

    ECDSA

    3DES(168)

    SHA1

    Yes

    EDH-RSA-DES-CBC3-SHA

    v1

    DH

    RSA

    3DES(168)

    SHA1

    Yes

    EDH-DSS-DES-CBC3-SHA

    v1

    DH

    DSS

    3DES(168)

    SHA1

    Yes

    ECDH-RSA-DES-CBC3-SHA

    v1

    ECDH/RSA

    ECDH

    3DES(168)

    SHA1

    ECDH-ECDSA-DES-CBC3-SHA

    v1

    ECDH/ECDSA

    ECDH

    3DES(168)

    SHA1

    DES-CBC3-SHA

    v1

    RSA

    RSA

    3DES(168)

    SHA1

    Normal

    SEED-SHA

    v1

    RSA

    RSA

    SEED(128)

    SHA1

    ECDHE-RSA-RC4-SHA

    v1

    ECDH

    RSA

    RC4(128)

    SHA1

    Yes

    ECDHE-ECDSA-RC4-SHA

    v1

    ECDH

    ECDSA

    RC4(128)

    SHA1

    Yes

    ECDH-RSA-RC4-SHA

    v1

    ECDH/RSA

    ECDH

    RC4(128)

    SHA1

    ECDH-ECDSA-RC4-SHA

    v1

    ECDH/ECDSA

    ECDH

    RC4(128)

    SHA1

    Weak

    EDH-RSA-DES-CBC-SHA

    v1

    DH

    RSA

    DES(56)

    SHA1

    Yes

    EDH-DSS-DES-CBC-SHA

    v1

    DH

    DSS

    DES(56)

    SHA1

    Yes

    DES-CBC-SHA

    v1

    RSA

    RSA

    DES(56)

    SHA1

    RC4-SHA1v1RSARSARC4(128)SHA1

    RC4-MD5v1RSARSARC4(128)MD5

    Notes:

    • The cipher table above applies to the SMTP protocol only; the cipher settings for HTTPS are different because web servers and mail servers are not vulnerable to the same type of threats. For example: SSLv3 is disabled in the Web UI to address the POODLE attack which is a vulnerability that applies specifically to HTTPS, not SMTP. Since some SMTP implementations may still require SSLv3, it remains enabled in SMTP. Due to this setting, some compliance tests will incorrectly report that SMTP is vulnerable to POODLE.
    • TLS v1.2 Galois/Counter Mode (GCM), Authenticated Encryption with Associated Data (AEAD), and SHA-2 hashes are only available when the client uses TLS v1.2. All TLS v1 ciphers are available when the client uses TLS v1.2, except for RC4, which is disabled with TLS v1.1 and above.
    • The "Normal" cipherstring deliberately selects 3DES at a lower preference because it is so computationally expensive and to improve interoperability with Exchange Server 2003.

    Related Articles

    • Network Security Essentials eLearning Training Course
    • How do I check if syslogs are getting forwarded by an Email Security Appliance?
    • How to add inbound path in Hosted Email Security

    Categories

    • Email Security > Email Security Appliance
    • Email Security > Email Security Software
    • Email Security > Hosted Email Security

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top