Helpful POP3 and IMAP Exchange 2016 links

Here is the list of some helpful links regarding IMAP and POP3 protocols in Exchange 2016:

Enable IMAP4 in Exchange 2016

Enable POP3 in Exchange 2016

POP3 and IMAP4

Public folders in Exchange 2016
Public folders and IMAP

Shared mailboxes in Exchange 2016
Accessing shared and delegated mailboxes

FTP TLS encrypted data connections fail (EMS)

Problem

After the installation of the October 8, 2019 — KB4517389 or KB4520003 or KB4519998 or KB4519990 update (depending on OS version), all TLS encrypted data connections to the affected FTP servers fail.

Error you may see is: “TLS session of data connection has not resumed or the session does not match the control connection”

Detailed explanation

In FTP protocol, data connection does not directly authenticate the client.

Client uses control connection to authenticate, then it established data connection using PASV command followed by the STOR (upload) or RETR (download) command.

The server opens a port and waits for the client to connect to it and upload/download files.

An attacker could figure out the port the server listens to, connect to it before the client, and upload a piece of malware.

TLS session resumption prevents this. It acts as a form of authentication. If the TLS session of the data connection matches the session of the control connection, both the client and the server have the guarantee, that the data connection is genuine. Any mismatch in sessions indicates a potential attack.

Ftp.dll library uses .NET’s SslStream that relies on Schannel (Microsoft Secure Channel – a security package that facilitates the use of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS))

Cause

The KB4517389 addresses the following issue:

“Addresses an issue in security bulletin CVE-2019-1318 that may cause client or server computers that don’t support Extended Master Secret (EMS) RFC 7627 to have increased connection latency and CPU utilization. This issue occurs while performing full Transport Layer Security (TLS) handshakes from devices that don’t support EMS, especially on servers. EMS support has been available for all the supported versions of Windows since calendar year 2015 and is being incrementally enforced by the installation of the October 8, 2019 and later monthly updates.”

It looks like Schannel stared enforcing EMS. If the server runs a TLS stack which is not compatible with this change, the FTP data connection fails.

OpenSSL, which is used by most servers, supports EMS since version 1.1.0 (released 25th August 2016).

Affected Servers

  • All FTP servers using OpenSSL older than version 1.1.0
  • FileZilla Server (all versions). The latest version uses an insecure/outdated OpenSSL version 1.0.2.11 from 2017.

Solution

Contact the server administrator, explain the situation and and request an upgrade of the FTP server software and of the installed OpenSSL version.

As a temporary workaround, the KB4517389 (or equivalent for non-Windows 10 machines) can be uninstalled.

As a temporary workaround on FileZilla server you can go to “FileZilla Server Interface/Edit/Settings/Ftp over TLS setting” and uncheck “Require TLS resumption on data connection when using FTP over TLS”:

Sending Apple Watch specific content

There are two main content types used in all HTML emails: text/plain and text/html MIME types.

You should always include a plain text version of your email that closely matches to the HTML version of your email. Mail.dll will generate (extract) plain text automatically, if you provide HTML text only.

Usually Apple watch displays only the plain text part of your email. In most cases it considers the HTML too complicated (e.g. external images are referenced), so it shows the plain text version instead.

External image is an image that isn’t embedded in the email, using cid: protocol, but loaded from a remote HTTP server using a standard <img src=’…’ /> tag.

You can use ‘text/watch-html’ type to send a limited HTML version of your message to Apple Watch users, resulting in rich text-like messages on Apple Watch devices.

Here’s how to create and add such MIME entity using Mail.dll:

MailBuilder builder = new MailBuilder();
builder.Subject = "Apple Watch Example";
builder.From.Add(new MailBox("alice@example.com"));
builder.To.Add(new MailBox("bob@example.com"));

builder.Html = "This is <strong>HTML<strong> text.";
builder.Text = "Plain text.";

MimeText appleWatchText = new MimeFactory().CreateMimeText();
appleWatchText.ContentType = ContentType.Parse("text/watch-html");
appleWatchText.Text = "This is <strong>Watch HTML<strong> text.";

builder.Alternatives.Add(appleWatchText);

IMail mail = builder.Create();

Please have in mind that apple watch supports limited version of HTML only.

Using the above code will create an email with following content:

Content-Type: multipart/alternative;
 boundary="----=_NextPart_19511516.440335455040"
MIME-Version: 1.0
Date: Tue, 02 Jul 2019 15:38:53 +0200
Message-ID: <d65fcc07-c988-48e1-a466-166e18998d02@mail.dll>
Subject: Apple Watch Example
From: <alice@example.com>
To: <bob@example.com>

------=_NextPart_19511516.440335455040
Content-Type: text/plain;
 charset="utf-8"
Content-Transfer-Encoding: 7bit

Plain text.
------=_NextPart_19511516.440335455040
Content-Type: text/html;
 charset="utf-8"
Content-Transfer-Encoding: 7bit

This is <strong>HTML<strong> text.
------=_NextPart_19511516.440335455040
Content-Type: text/watch-html;
 charset="utf-8"
Content-Transfer-Encoding: 7bit

This is <strong>Watch HTML<strong> text.
------=_NextPart_19511516.440335455040--

Entire sample, including sending process:

MailBuilder builder = new MailBuilder();
builder.Subject = "Apple Watch Example";
builder.From.Add(new MailBox("alice@example.com"));
builder.To.Add(new MailBox("bob@example.com"));

builder.Text = "Plain text";
builder.Html = "This is <strong>HTML<strong> text.";

MimeText appleWatchText = new MimeFactory().CreateMimeText();
appleWatchText.ContentType = ContentType.Parse("text/watch-html");
appleWatchText.Text = "This is <strong>Watch HTML<strong> text.";

builder.Alternatives.Add(appleWatchText);

IMail mail = builder.Create();

// Send the message
using (Smtp smtp = new Smtp())
{
    smtp.Connect("server.example.com");   // or ConnectSSL for SSL
    smtp.UseBestLogin("user", "password"); // remove if not needed

    smtp.SendMessage(mail);

    smtp.Close();
}

Using TLS 1.2 with .NET SMTP client

In the following article, we will provide a comprehensive guide on configuring the Mail.dll SMTP client to utilize the TLS 1.2 encryption protocol.

This security enhancement ensures that sending email communications remain safeguarded against potential threats and unauthorized access.

By default clients and SMTP servers negotiate SSL/TLS versions they can both use. Most systems don’t allow SSL 3.0, TLS 1.0, 1.1 anymore and Mail.dll SMTP component simply uses the most recent TLS version.

TLS 1.2 and 1.3 are the most secure versions of TLS protocols. It is easy to force the connection to use it.

All you need to do is to set Smtp.SSLConfiguration.EnabledSslProtocols property to SslProtocols.Tls12 before issuing ConnectSSL or Connect and StartTLS sequence:

// C#

using (Smtp smtp = new Smtp())
{
    smtp.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;

    smtp.ConnectSSL("smtp.example.com");

    smtp.UseBestLogin("user","password");

    // ... 

    smtp.Close();
}
' VB.NET

Using smtp As New Smtp()
	smtp.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12

	smtp.ConnectSSL("smtp.example.com")

	smtp.UseBestLogin("user@example.com", "password")

	'...

	smtp.Close()
End Using

Explicit SSL/TLS (STARTTLS)

For explicit SSL/TLS, code is almost the same. You first connect to a default, non-secure SMTP email submission port (587) and secure the connection using Smtp.StartTLS method:

// C#

using (Smtp smtp= new Smtp())
{
    smtp.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;

    smtp.Connect("smtp.example.com");
    smtp.StartTLS();

    smtp.UseBestLogin("user@example.com","password");

    // ... 

    smtp.Close();
}
' VB.NET

Using smtp As New Smtp()
	smtp.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12

	smtp.Connect("smtp.example.com")
	smtp.StartTLS()

	smtp.UseBestLogin("user@example.com", "password")

	'...

	smtp.Close()
End Using

Older .NET framework versions

To use TLS 1.2 in SMTP client at least .NET Framework 4.5+ must be installed on your machine and your application should target .NET 4.5+.

It is possible to use TLS 1.2 in applications targeting earlier .NET framework versions, but 4.5 must be installed on the machine. After you have .NET 4.5 installed, your 2.0 – 4.0 app will use the 4.5 System.dll and you can enable TLS 1.2 using this code:

// C#

smtp.SSLConfiguration.EnabledSslProtocols = 
    (SecurityProtocolType)3072;

Using TLS 1.2 with .NET POP3 client

This article presents a comprehensive tutorial that elaborates on how to configure the Mail.dll POP3 client for seamless integration with the TLS 1.2 encryption protocol.

This security enhancement ensures that receiving emails via POP3 remain safeguarded against potential threats and unauthorized access.

By default clients and POP3 servers negotiate SSL/TLS versions they can both use. Most systems don’t allow SSL 3.0, TLS 1.0, 1.1 anymore and Mail.dll POP3 component simply uses the most recent TLS version.

TLS 1.2 and 1.3 are the most secure versions of TLS protocols. It is easy to force the connection to use it.

All you need to do is to set Pop3.SSLConfiguration.EnabledSslProtocols property to SslProtocols.Tls12 before issuing ConnectSSL or Connect and StartTLS sequence:

// C#

using (Pop3 pop3 = new Pop3())
{
    pop3.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;

    pop3.ConnectSSL("pop.example.com");

    pop3.UseBestLogin("user","password");

    // ... 

    pop3.Close();
}
' VB .NET

Using pop3 As New Pop3()
	pop3.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12

	pop3.ConnectSSL("pop.example.com")

	pop3.UseBestLogin("user@example.com", "password")

	'...

	pop3.Close()
End Using

For explicit SSL/TLS, code is almost the same. You first connect to a default, non-secure POP3 port and secure the connection using Pop3.StartTLS method:

// C#

using (Pop3 pop3 = new Pop3())
{
    pop3.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;

    pop3.Connect("pop.example.com");
    pop3.StartTLS();

    pop3.UseBestLogin("user@example.com","password");

    // ... 

    pop3.Close();
}
' VB.NET

Using pop3 As New Pop3()
	pop3.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12

	pop3.Connect("pop.example.com")
	pop3.StartTLS()

	pop3.UseBestLogin("user@example.com", "password")

	'...

	pop3.Close()
End Using

Older .NET framework versions

To use TLS 1.2 in POP3 client at least .NET Framework 4.5+ must be installed on your machine and your application should target .NET 4.5+.

It is possible to use TLS 1.2 in applications targeting earlier .NET framework versions, but 4.5 must be installed on the machine. After you have .NET 4.5 installed, your 2.0 – 4.0 apps will use the 4.5 System.dll and you can enable TLS 1.2 using this code:

// C#

pop3.SSLConfiguration.EnabledSslProtocols = 
    (SecurityProtocolType)3072;