Sendmail’s customer portfolio consists of companies across a broad spectrum of industries, some of who need to be extra cautious when it comes to security. All of the top financial services firms and several of the top government agencies and military contractors trust Sendmail products to keep their messaging infrastructure secure, protect message contents, and ensure privacy.
One of these customers appears to have uncovered a weakness in the Transport Layer Security (TLS) implementation of Microsoft’s Forefront Online Protect for Exchange (FOPE). This customer has trading partners with which it maintains dedicated TLS connections for securing the transmission of email across the Internet, a common practice. They require a minimum of 256-bit key lengths be negotiated with their trading partners. Unfortunately, this requirement is now failing with trading partners using FOPE.
During the TLS handshake, the sendmail MTA provides a list of supported ciphers in order of strength. According to Microsoft’s Technet, FOPE supports several common 256-bit cipher suites common with those of openSSL used in the sendmail MTA, yet, FOPE defaults to a 128-bit key length, thus causing the TLS handshakes to fail the 256-bit requirement and messages to not be routed to those trading partners.
Microsoft appears to have a preference for AES128-SHA, when AES256-SHA should be negotiated. Thankfully, the sendmail MTA has the ability to remove specific cipher suites from the list offered. When the AES128-SHA cipher is removed from the list offered by the sendmail MTA, the AES256-SHA gets used.
Microsoft’s TLS implementation is designed to benefit Microsoft, not their customers. By negotiating a less computationally intensive cipher suite rather than the strongest mass market encryption, Microsoft is demonstrating that “good enough” is good enough for them when it comes to safeguarding their customers’ communication.
This issue raises questions that should be answered before migrating to the cloud: Do I want to surrender control of my encryption policy? Will my move to the cloud impact my trading partners?
You may also want to check out the white paper: “Moving to the Cloud: Important Things to Consider before Migrating Your Messaging Infrastructure to the Cloud.”