10.7. Encryption Strength

Cryptography and CPU performance has improved rapidly in recent years. Encryption methods that used to be considered secure are now considered cracked and should therefore no longer be used. However, there are still older systems that are not yet able to handle newer processes.

The Intra2net system allows specific control of the available encryption methods, separated by connections in the local network and Internet. This can be found in the System > Web interface > Security menu. The settings selected there apply to the connections secured with SSL or TLS for the following protocols or services: The web interface and web groupware, ActiveSync, POP3 (S), IMAP (S) and SMTP-Submission.

The following options are available for each of the two areas:

NormalOnly connections with TLS 1.2 and TLS 1.3 are accepted. Forces PFS for all connections. This is the recommended setting for all connections.
Compatibility for Windows 7Like Normal, but TLS 1.0 is also allowed for the IMAP service. This setting is intended to be able to connect email clients with Windows 7 on which TLS 1.2 has not yet been enabled in the registry (see below).
Weak (Windows XP compatible)Allows weaker encryption and key exchange methods as well as TLS 1.0 to provide compatibility with older operating systems such as Windows XP. However, this setting disables the RC4 method, which is considered broken. With newer systems that support stronger methods, including PFS, they will automatically be negotiated.
Very weak (for testing purposes only)Allows connections with weak and cracked encryption methods such as RC4, this setting is a security risk and should only be temporarily enabled for testing purposes.

Perfect Forward Secrecy (PFS). ensures that transmitted data cannot be decrypted even if at a later time the private key of the Intra2net system becomes known and a previously recorded transmission is analyzed, with knowledge of the private key.

Windows 7 and TLS 1.2. Windows 7 supports TLS 1.2 in principle, but this support is not enabled by default for all system libraries. This must be done via a setting in the registry. The .reg file with the appropriate settings can be found in the online help of the Intra2net System for the menu System > Web interface > Security linked. If TLS 1.2 has been enabled on all Windows 7 clients, the encryption strength should be changed to Normal.