Updating Security on Services - TLS 1.2 and TLS 1.3

As of January 2020, our servers will only support SSL/TLS connections using TLS 1.2 for services like email and FTP access along with TLS 1.2 and TLS 1.3 for websites. Please ensure that your client applications (outlook, thunderbird, mac mail, filezilla, WSFTP, etc) are configured to use SSL/TLS using TLS1.2. This means that unsecured and unencrypted connections will also no longer be supported.

After January 2020 - Supported Mail Settings:
SMTP via SSL: Port 465
SMTP via TLS/STARTTLS: Port 587
IMAP via SSL/TLS: 993

After January 2020 - Supported FTP Settings:
FTP Active Mode - Port 21 with Explicit SSL
FTP Passive Mode - Port 21 with Explicit SSL


Overview:
Previously in 2019 we removed support for TLS 1.0 on our services and users had a choice to update their applications and operating systems, or remove encryption, due to limitations with operating systems and email applications. TLS Protocol Version 1.0 was not secure and as a result, needed to be disabled on servers that offer PCI compliance. If you’re using Windows 7, 8.0, Server 2008, or Server 2008 R2; applications built using WinHTTP such as Microsoft Outlook, Word, etc will only support TLS 1.0. Since this protocol is no longer secure and is now disabled, if you try and establish a secure connection using your Outlook e-mail client to the our mail server, Outlook will display an error message similar to the one below:

“Your server does not support the connection encryption type you have specified.”

As of January 2020, we are also removing support for insecure connections to our services. We are only as secure as the most insecure user and thus have decided to update our systems to only allow access via secured protocols. This means that users who opted to turn off encryption, instead of upgrading or patching, will not be able to connect to our services such as mail, ftp, or even some websites without updating, patching, or at least enabling, SSL/TLS.

If you do not have any encryption enabled, Outlook will display an error message similar to the one below:

“Your server is unable to complete the connection with the current settings.”
or
"Cannot connect to the outgoing mail server for <account name>."

If you are running Windows 8.1 or newer, you can skip over verification that your system supports TLS 1.2. Otherwise, please ensure that your system supports TLS 1.2 attempting to install the KB314045 patch from Microsoft.


Install the KB3140245 Update
Before you start, you will need the KB3140245 patch required for your operating system. You can get it by going to the Microsoft Update Catalog.
Click the “Download” button for your OS. As you can see, this patch is needed for Windows 7, 8 and Server 2008 and 2012.

Download

Make sure you’re getting the correct file. You will see that Windows 7 has two available files. These are for 32 and 64-bit systems. Download the one that matches your version of Windows.
Once you download the file, install it.

Download Install

However, you may already have this file if updates are current in Windows. It’s usually in the Optional section as it’s not necessarily needed to run the computer. 


If the patch is not working as expected, please try using the Easy Fix from Microsoft to edit the Registry:
Go to the Microsoft website and click “Download” under Easy Fix.

Easy Fix

You may have to scroll down the page a bit to see the download button.
Run the application and follow its instructions.

Run Application


Updating from insecure to secure:
Once you have verified that your system can support TLS 1.2, you may still need to configure your mail client to use the proper settings and ports. This will be different depending on your client, but generally for Outlook here are the steps:

1. Click on the Start Button, and either select Control Panel, or search for it from the list.
2. Mail (<version of Outlook here>) from the list. (You may need to specify 'Show Small Icons' from the upper right pulldown to find it)
3. Click on the 'Email Accounts' button
4. Select the email account you wish to update or verify and click 'Change or Properties' from the menu
5. Ensure that your mail server is set to mail.<yourdomain.tld>

Mail Server Settings

6. Select the 'More Settings' button from the lower right of the window
7. Click on the 'Advanced' Tab
8. Ensure that the Incoming server (IMAP) is set to SSL/TLS and the port is updated to 993
9. Ensure that the Outgoing server (SMTP) is set to STARTTLS and the port is updated to 587

Advanced Settings

10. Testing the account should work as expected (simple way is to send an email to someone and verify it moves from the outbox to the sent items)

Other email clients will need to be configured per their own instructions. Please find the configuration guide for your specific mail client to configure and enable security using SSL/TLS.

Additional information from Microsoft:
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

As always, if you have any questions, or need assistance, please open a support ticket and we can help.

 

  • email, ssl, tls, can't send, can't receive, unable to send, unable to receive, email not working, unable to connect, cannot connect, server error, mail server error
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

Forcing SSL (https) on your website

Ensuring your website is secure with our SSL certificate is only the first step. If you are...

Two-Factor and MultiFactor Authentication (2FA/MFA) for your DigiTimber Account

To enable Two-Factor/MultiFactor Authentication on your DigiTimber account, please follow the...