Tls 1.3

anon-2071 · December 19, 2022, 7:53pm

Just carried out an online test on our v10x server, and it's showing a connection with TLS 1.2

As 1.3 now seems to be the norm is there a method, or workaround, to implement it?

[002.400]		STARTTLS command works on this server
[002.748]		Connection converted to SSL
		SSLVersion in use: TLSv1_2
		Cipher in use: DHE-RSA-AES256-GCM-SHA384
		Perfect Forward Secrecy: yes
		Session Algorithm in use: DHE(4096 bits)
		Certificate #1 of 5 (sent by MX):
		Cert VALIDATED: ok

jerome · December 19, 2022, 8:07pm

Only TLS 1.2 for domino boxes

jerome · December 19, 2022, 8:09pm

If you really want TLS 1.3 you can use HCL Safelinx in front of Domino servers for http/traveler/sametime/verse/inotes/nomad etc...) or F5 Big-IP and do the ssl off-loading on the F5 equipment (or apache or whatever...)

anon-2071 · December 19, 2022, 8:17pm

Jerome

Thank you for your reply.

So basically, the same as DKIM and DMARK - put another SMTP server (like Exchange) in front of Domino which rather seems to defeat the object of the exercise?

Having trouble with GMail bouncing emails from our domain (their business mail platform doesn't appear to have the same issue).

jerome · December 19, 2022, 8:21pm

Dave

You do have DKIM in Domino 12!

For DMARC, it is only DNS TXT entry for me.

anon-2071 · December 19, 2022, 8:34pm

My understanding is that DKIM and SPF have to be authenticating messages before configuring DMARC, so if I can't set DKIM or SPF then configuring DMARC is kinda pointless?

With Domino v10 - putting another SMTP server in front is the only workaround I know of for DKIM.

If we have got to v12 and TLS 1.3, the current standard for several years, still hasn't been implemented it's a little concerning.

jerome · December 19, 2022, 8:43pm

I do have DKIM configured for outbound on Domino 12 and the DKIM Domino key is set in my DNS.

SPF and DMARC are defined on my DNS servers for outbound

For inbound SPF and dkim: it is done in the domino directory (configuration document), DMARC is missing but well DKIM and SPF are ok for me, for secured mail, S/MIME signature+encryption is required:

anon-1974 · December 19, 2022, 8:44pm

TLS 1.3 is still under enhancement. See reference: https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-124

LarsBerntrop-Bos · December 21, 2022, 10:41am

Quite a lot of people put Domino behind an nginx reverse proxy to do this.

https://frostillic.us/blog/posts/6AF303DE836BA02D85257D570058B1CA

https://blog.nashcom.de/nashcomblog.nsf/dx/using-domino-certmgr-with-nginx-co.htm

anon-2071 · December 21, 2022, 5:39pm

Hi Lars

Thanks for your reply.

I have seen workarounds for this and other shortcomings, like DKIM and SPF, by placing another SMTP server in front of Domino - but really the Domino SMTP engine should include the latest security out of the box I would have thought. TLS 1.3 was published as the proposed standard in 2018.