asked on
Can't get TLS 1.2 to work on Windows Server 2008 R2 with Exch 2010
I am trying to get my install of Windows Server 2008 R2 Standard SP2 (I tried to install SP3 but it failed) and Exch 2010 to use TLS 1.2. I've made the recommended registry entries and enabled it but using TLS checker it is still showing TLS 1.0 no matter what I do. The problem is that many servers will not connect to TLS 1.0 so much of my mail is now returned as undeliverable to me. I now use a backup mx (which will connect to my server using TLS 1.0) which gets my mail and relays it to me but that can take 15 minutes before I receive it.
Can anyone help with this? I can post pictures of my registry entries, etc.
I hope you aren't going to let that security nightmare touch the internet...
So you're directly receiving email on a Windows 2008 R2 box running Exchange 2010. Both the OS and Exchange are two major versions past end of security updates. Please do yourself and the organization a favor and migrate to a different/newer email and messaging platform. It likely has multiple different threat actors in your Exchange server. It has known vulnerabilities, and you can't patch it. The longer you wait, the harder it will be to migrate because getting things to work with Exchange 2010 will get harder and harder as the industry prunes compatibility with older unsupported systems.
ASKER
MA - I had previously made these changes manually and checked all. All are as in the .reg files except I do not have keys for SSL 3.0 or TLS 1.1. Other than that everything is exactly as in the .reg file. I run checktls on my server (mail.rackson.org) and it produces an error. Can you please run checktls yourself and let me know what you think? Thank you!
Kevin, I know. I just use this for home use to share calendars and in house email with my assistant and kids and I don't want to put in the time or money to upgrade at this point. But I totally get your perspective. My main concern is the annoying 15 minute delay in receiving emails.
ASKER
M A - In the meantime is it ok to leave TLS 1.0 enabled so I can still receive email while you guys help me with this?
I've made the recommended registry entries and enabled it but using TLS checker it is still showing TLS 1.0 no matter what I do.
that's by design
if you are able to get SP3 and update rollup 9 installed then it should work with 1.2
SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2010 environment
ASKER
Actually checktls was showing nothing without tls 1.0 reenabled so I reenabled it. Is sp3 required for sp2 1.2?
ASKER
And I can't get rollup 9 as its not available (as you said) - do I really need to install it? Shouldn't it work with SP2 so long as I disable TLS 1.0 (which I did to no avail)?
Did you look in the Microsoft catalog? Exchange 2010 update rollups still seem to show...
https://www.catalog.update.microsoft.com/search.aspx?q=exchange+2010
ASKER
Can I try rollup one of the later rollups (32) even though I've been updated the server ongoing whenever I get the icon? Is there any risk to trying for example rollup 32 from March 2021?
Exchange Server 2010
The servicing model for Exchange 2010 uses service packs and update rollups. A service pack is a complete build of the product that includes all previous updates. An update rollup applies to a specific service pack, and includes all previous updates that were included in previous update rollups for that service pack.
What you should install for new servers
When you’re installing a new Exchange 2010 server, you should install the latest service pack, followed by the latest update rollup for that service pack. You can find details of the most recent service pack and update rollup for Exchange 2010 on the Exchange Server Build Numbers page on TechNet.
How to handle updates for existing servers
The steps for updating Exchange 2010 servers depends on which service pack you’re currently running. If you’re running RTM, SP1, or SP2, you’ll need to install SP3 first, then apply the latest update rollup. You can upgrade to SP3 from any previous version of Exchange 2010. You do not need to install SP1 and SP2 first.
If you’re already running Exchange 2010 SP3, you can just apply the latest update rollup. You can update directly to the latest update rollup. For example, if you’re running SP3 with UR10, you can apply update rollup 14 without installing UR11, UR12, and UR13 first.
ASKER
Ah..so I would need to find SP3 and get it to install first (I tried once and it failed for some reason). But I thought TLS 1.2 to worked on SP2?
I would make sure server 2008r2 was fully up to date, reboot, and try SP3 right after the reboot...
SP3 is basically a full install of 2010 but it is able to upgrade...
If the sp fails look up the error codes and see if you can find info on google...
TLS 1,2 is right in the transition era of exchange and I do not remember which service pack was needed, but sp3 seems to ring a bell...
Also I think I remember sp3 needing a newer visual c++ runtime but I am not sure..
ASKER
Thanks Scott. I checked and what I have running is Version 14.1 Build 218.15. Does that say anything about what SP I'm running?
That looks like a SP1 install with no rollups
ASKER
So Scott, my steps should be:
1. Clone the disk as a backup
2. Try (again) to install SP3
3. Install rollup 32
4. Pray it all works?
...or should I just live with the 15 minute delay?
Shouldn't it work with SP2 so long as I disable TLS 1.0 (which I did to no avail)?
if you look at the article I referenced, it is hardcoded
even if you change how the OS handles TLS versions, exchange (prior to SP3 update 9) will ignore that and use 1.0
SP3 is basically a full install of 2010 but it is able to upgrade...
hmm...didn't think the service packs were the actual full version you can install from until exchange 2013 or 2016 - though it has been quite a while since i worked with exchange 2010
Clone the disk as a backup
not exactly what I would do as there is so much exchange integration with AD so highly discourage it
I would make sure I have a good full backup of the system
If I did choose to clone, would do the entire vm not just one drive
Try (again) to install SP3
I don't see it available for download but if you already have it, yes try again and report back any errors
Install rollup 32
problem is, I don't think these are cumulative so it doesn't include all previous updates - especially since the download size is only 56mb
you could try just update 9 and see if that fixes it (though getting to 32 would be ideal)
https://www.catalog.update.microsoft.com/Search.aspx?q=exchange%202010%209
Been a while, but TLS1.2 was supported
https://www.microsoft.com/en-us/security/blog/2017/07/20/tls-1-2-support-added-to-windows-server-2008/
If you have a WSUS server, you could see whether you can pull the update from MS.
ASKER
I'll try and find sp3 and see what happens but I'm not with the physical box until 1/14. I guess I'll just leave this open...
ASKER
Thanks Scott!
ASKER
Thanks Scott!
The TLS is provided by the System, server 2008.
See if this helps.
https://aventistech.com/kb/enable-tls-1-2-in-exchange-2010/
ASKER
you reference exchange which component are you looking for the TLS1.2 is to connect to the the IMAP, SMTP encrypted ports or you use the OWA http proxy which will deal how the IIS setup handles the encryption for the connections:
openssl s_client -connect hostname:port [-starttls SMTP]
Using the above, you can test the types of connections available on the server side.
-tls1_2 will turn TLS1.2 only for the connection attempt
-no_<protocol> will disable protocol from being available for the connection
slllabs.com has a server tester portion which might be helpful if the above referenced tool is not
ASKER
I ran a test and it seems I'm having a problem with my "key exchange" but I have no idea what that is or what to do about it. HELP! See attached.
ASKER
I'm not sure how any of that connects with my exchange server only being able to receive mail from servers that support TLS 1.0? This is a small home setup but the delay by having mail routed through the backupmx provider is annoying.
With the older Server 2008, disabling options like sslv3 could have adverse consequences dealing with remote access (RDP) ....
MX and SMTP communications are not encrypted, plain text.
AS long as you make SSLv3 available, it will be seen as insecure from the outside.
The Secure Flow from your Backup MX is a Configuration issue.
The report is based on access to port 443
did you restrict IIS, or system wide tls1.2 and sslv3 available for the server side only?
Check the STARTTLS configuration on your exchange server, to make sure it offers TLS1.2 connections.
You have SSLv3 and TLS 1.0 as the available options.
see if this helps identify where you made the choices.
https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-tls-configuration?view=exchserver-2019
As we have said before you need to get your exchange somewhere past the initial install... Those newer protocols came out after 2010 first came out and getting your installation more current will probably het things working...
Your server only supports tls 1.0.
Go here and put in your domain rackson.org and you get some details...
ASKER
If you look above at the results of sslscan.exe on the exchange server it looks like tls 1.2 is enabled on exchange. But when I ran the tls analyzer it is showing a "key" problem, which I don't understand. I'm not technical enough to understand what is going on or reconcile these two sets of results. Can anyone help with that? Is my problem with Windows 2008 R2 or with Exchange 2010? My backupmx is a 3rd party service.
A lot of the content you have shown is checking the webmail access ports on 443...
Mail does not use those ports.
sslscan is checking the web server ports.
Exchange needs to be at a minimum of update rollup 19 and sp3 for TLS 1.2 to work with email...
Unless you do this it will NOT work...
subject=/CN=mail.rackson.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5134 bytes and written 499 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DES-CBC3-SHA
Session-ID: 320900007CFB8A856CB3C871FC3F0F836FA0736F8F5DEC0A061603DD0247C750
Session-ID-ctx:
Master-Key: 00058DB37573A1B48E27A6D38CDC311CBC969B38A6AB3AD86D50F12FEF8E944595F0DE121207B001617D85D1CA9A1670
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1704836656
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Here is the example of TLS1
subject=/CN=mail.rackson.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5449 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 103800003D5F885C8EFBBCE4A47F5D058477EABA446E6A8F2B0797BD0CE8EF65
Session-ID-ctx:
Master-Key: 07D363A36B1E7520AF09E80A4CBDD712C32C96AFBD40B03153681E9A86974DA3EB9139BCE8ABD37D7A4E3022443B6F21
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1704836635
Timeout : 7200 (sec)
Verify return code: 0 (ok)
SSlv2, TLS1.1 and TLS1.2 are not an available options.
They get the message Protocol line omitted.
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
ASKER
Thanks Arnold! So, I definitely do need to upgrade to SP3, correct? I tried that once and ran into a problem but I will try it again over the weekend and post any errors I get. Will you check back on this thread please?
As I said try your install after a fresh reboot...
also make sure you have any prerequisites installed first... SP3 might have different runtimes required...
https://petri.com/install-microsoft-exchange-2010-sp3/
Check the health of your exchange to make sure it is not in a state that contributes to the failure of the update.
ASKER
How would I check health Arnold?
This provides access to the prior, version 2 that supported exchange 2010.
http://web.archive.org/web/20210507170113/https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/
You'll get a few redirect notices, but it will eventually download the version that should work with exchange 2010.
Identifying why SP3 fails to update is ....
ASKER
If I just try and run SP3 and it fails, will it back out any changes and leave me where I am now?
You previously mentioned that you Ran SP3 and it failed.
That is the issue, the SP3 is package of several updates.
Some may have succeeded, or were not needed, an update that was applied failed at which point the SP3 either rolled back what it could or simply exited.
Which version of Exchange SP3 do you have?
The last SP3 update rollup was released on March 2nd 2021.
Do you have a WSUS server in your environment where you can check which SP3 version you are applying or pull in a more recent one available from the MS update catalog?
they range from Rollup 2 August 13 2013 through rollup 32 as referenced above.
See a heads up on Exchange updates re sp3.
https://community.spiceworks.com/topic/2311675-problem-after-installing-microsoft-update-for-exchange-2010-sp3
ASKER
I downloaded the latest from 2021. I will run the health test and try to install it on Sunday. If it fails will i be back where i was? This is a simple single server running 2008r2 and exch 2010 with no other components.
https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019#exchange-server-2010
Look at the notice in the link, warning
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459
This should be removable through add/remove programs. appwiz.cpl
When installing the update, do you elevate, run as administrator.
Far removed, and unsupported.
monitor the windowsupdate.log and the application, system log for the updates.
Backups?
Do you have an option to quickly setup a VM using sysinternals disk2vhd/x
and try to see if you can virtualize the current exchange for a test environment purposes....
then you can apply this update and see what happens, make sure the VirtualM copy, is never on the same LAN (does not get a LAN ip).....
ASKER
Build is 218.15
I would try installing the last update rollup for your non SP version, reboot and then see if sp3 will install. As I said before you have a base install of the original exchange with zero maintenance done...
Using the Catalog, look to get the rollup 8 for SP1
Then rollup 8 for exchange SP2 then apply the SP3 update you downloaded.
Confirm version after each update.
This update path might be smoother then trying to skip SP 2.
ASKER
Ok. Thanks Arnold. No need to run those other steps elevated correct?
If you are delivering the updates from. Wsus, it runs the uodate via/under system privileges, elevated.
ASKER
This gradual while taking longer, may provide a more successful upgrade path.
ASKER
Sorry, where is sp2 and rollup 8 for sp2. I'm sorry if you already told me. Can i actually hire you to do this remotely for me Arnold?
https://www.catalog.update.microsoft.com/Search.aspx?q=Microsoft%20exchange%202010%20service%20pack%202
ASKER
The link in your message is to "Rollup 29 for Exchange 2010 SP3". Is that what I should install for SP2?
Did not realize the link I copied and posted was not the intended link.
But it is searchable and .....
ASKER
But I'm at sp1 currently no?
It is difficult to.identify which update will add the option within exchange to allow a higher 1.1, 1.2 versions.
Does your OWA setup, IIS if internet accessible, it does show that 1.2TLS is available?
Can you check the 25 transport, STARTTLS whether it has a security option for 1.1 and 1.2 that is just not enabled at the moment?
ASKER
So I found and will install rollup 8 for SP2 using an elevated command prompt on top of my rollup 8 SP1 installation (my current state), correct Arnold?
Check.
Located the minimum level update you need to get to
Rollup 9 for SP3
https://support.microsoft.com/en-us/topic/smtp-is-not-transported-over-tls-1-1-or-tls-1-2-protocol-in-an-exchange-server-2010-environment-3fcc404a-012b-fc59-e8fc-c396fece971b
https://www.catalog.update.microsoft.com/Search.aspx?q=exchange%202010%20service%20pack%203
Located the minimum level update you need to get to
Rollup 9 for SP3
which is what I stated near the beginning before all this back and forth
I'll try and find sp3 and see what happens but I'm not with the physical box until 1/14.
have you tried this yet?
unless it is explicitly stated somewhere, should be able to go from where you are to SP3 unless there is something wrong with your environment to cause the upgrade to fail
ASKER
Project for thursday Seth. My plan is to follow Arnold's advice which is run a health check, then rollup 8 for sp2, then rollup 9 for SP3 unless you guys think differently?
As I said, you cannot run update rollup 8 for SP2 while you are still on SP1...
I suggest following this guide I found...
ASKER
I misunderstood. So, what do I run while on SP1 to do one step at a time or should I go directly to SP3 elevated and give it a try Scott?
I edited my previous post with a guide for updating from SP1 to SP3.
I'm guessing your previous failure with SP3 was because you didn't install any new prerequisites...
Hi Randy,
Please follow this article and restart the server.
https://tecadmin.net/enable-tls-on-windows-server-and-iis/