SecPoint® Protector V. 50 Firmware Release

Protector 50 Firmware release Protector 50 – April 2019 

SSL/TLS Cipher Suites

The Mail Transfer Agent can be configured to use cryptography when exchanging email with a remote MTA. The security

layer that the Protector uses in this process can be configured as well, to ensure that the mail transfer is only performed using strong algorithms.

The configuration can be done in E-Mail > Setup, in tab SSL/TLS.

In this page, you should first enable the use of an encrypted transmission protocol by enabling the SSL/TLS option.

This is only possible if a certificate is available. You may choose to upload a certificate issued by a CA or create a self-signed certificate. This can be done in this page.

Once the SSL/TLS option is enabled, the security layers can be customized.

By default the security layers known to be vulnerable to attacks are disabled, however they can be enabled if, for any reasons, you should need to use them.

You can choose different security layers for the different roles that the MTA plays in the email transmission: Server (when the MTA is contacted by a remote MTA for incoming

Protector 50 Firmware release

mail) or Client (when the MTA connects to a remote MTA to send email).

It may happen that the Client side of the MTA must be configured with weaker security layers than on the Server side.

This occurs when the remote agent that the Protector connects to, does not support the newest versions of TLS.

For backward compatibility, TLSv1 is enabled, but the suggestion is to disable it.

Cipher Suites are part of the SSL or TLS security layers. They are sets of algorithms that do the job of encrypting packets transmitted through the network connection.

Each layer supports more than one Cipher Suite.

There are Cipher Suites known to be weak even within a strong security layer, and for this reason, it is possible to exclude them from the set of used ciphers.

The Protector will use all the existing ciphers supported in each Security Layer, with the exception of those explicitly disabled.

In this page, the weakest Cipher Suites are already disabled by default.

Those ones without known vulnerabilities cannot be disabled and do not appear in the list.

A disabled Cipher Suite will not be used in any Security Layer, on both Client and Server sides.

Protector 50 Firmware release And…

Misc. changes and fixes:

The validity dates of the email certificate are displayed on screen

The Automatic Backup is now subject to self-cleanup, to avoid the risk to fill up the hard disk

The update process of the antivirus signatures has been improved, to avoid the risk that in the case the signatures to update are too old, the update process enters an infinite loop, with 100% CPU usage.

A service tool has been upgraded to the latest version, with support for TLSv1.1 and TLSv1.2, to avoid a problem that affects the High Availability feature on the newest 64-bit Protector systems.

The Anti Spam signatures function has been reviewed, to simplify the change from a language to another and simplify the editing of the current signatures.

In the Anti Spam signatures, when restoring the default signatures, the system will now restore the signatures for the current language.