As trailed back in September 2015, Google are turning off SSLv3 and RC4 support from their TLS servers. For the vast majority of people, this will have no noticeable impact at all.
However, there is one place where the deprecated protocol and insecure cipher still lurk: mailservers. In particular, according to the google blog post, “inbound/outbound gateways, third-party emailers, and systems using SMTP relay.” The consequences are that “servers sending messages via SSLv3 and RC4 will no longer be able to exchange mail with Google’s SMTP servers, and some users using older and insecure mail clients won’t be able to send mail”.
How can you tell if your mail server uses SSLv3? One way is to use our crypto discovery engine. It supports SMTP, IMAP, and POP3, over TLS or with STARTTLS extensions.
Testing your mail server is as easy as typing in its name at discovery.cryptosense.com. The tool will discover which ports are open and which ones are running a TLS service. If any services support RC4 or SSLv3, you’ll see cards like these:
Note that it’s not an immediate problem for interoperability with google to support SSLv3 or RC4, as long as your server also supports more secure protocol versions (TLS 1.0, 1.1 or 1.2) and ciphers (such as AES). To see if your server supports them, at the “Check results” tab, you can click on “Show Scan details” under your mailserver. For the protocol version, you will see a string like “Versions SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2”. In that case, we know this server supports one of the acceptable TLS versions. For the cipher, you will see strings like “TLS_DHE_RSA_WITH_AES_128_CBC_SHA256”. In these strings, the block cipher is the part after “_WITH_” – in this case AES, so we know we’re OK.
However, google are turning RC4 and SSLV3 off for the very good reason that they are no longer considered secure, so why not take the opportunity to follow suit? If your server currently supports either RC4 or SSLv3, our discovery tool will provide you with a remediation report that tells you how to turn them off in the configuration file of your mailer. Just click through to the “Get help” tab to download your report.
Previously, there were arguments for continuing to support SSLv3 and RC4 to retain interoperability, but google’s move will most likely change that. We can expect to see a lot of infrastructure upgraded to support newer TLS versions. There’s never been a better time to upgrade you mail server’s TLS configuration, and we hope our free tool will help. Feedback welcome here.