Monthly Archives: March 2017

Classic ASP switch to TLS 1.2

I recently came across a failed PCI scan for one of our clients.  This failure was due to TLS 1.0 being enabled on that Windows server.

We ran IISCRYPTO (link) and disabled TLS.

Upon restarting the server, the Classic ASP site threw the following error:

Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC SQL Server Driver][DBNETLIB]SSL Security error

That error is because the web server is no longer using TLS 1.0 and the Classic ASP application (web site) is using too old of a driver on the server, to communicate with TLS 1.1 and/or 1.2.

To get around this, go download the latest ODBC driver from Microsoft, which is version 13.1 as of today.  You will most likely need to install the 32-bit version (as most ASP apps run in 32 bit mode).  Link here

Install that driver.

then go to your Windows server, Administrative tools and open the ODBC Data Sources (32-bit)

The 32-bit ODBC Administrator is found here: C:\Windows\SysWOW64\odbcad32.exe

go to the SYSTEM tab

add a new data source

Pick “ODBC DRIVER 13 for SQL Server”… (hit finish)

 

put in the name (no spaces or punctuation)

server name (or IP address) (NEXT)

 

authentication (USE SQL server auth, enter the LoginID and PW) (NEXT)

 

continue, then test the connection (it should work).

go to your Classic ASP application.

 

 

You will need to update the connection string to this:

DSN=YourNewSystemDSNName;Uid=YourSQLUsernameHere;Pwd=SQLpassword;

You can now use IISCrypto and disable TLS 1.0

Reboot the server

re-test your Classic ASP app and now you should be up and running on TLS 1.1 or 1.2

 

 

 

 

Adding DKIM records to Kerio Connect

If you want to implement DKIM (signed email) to your Kerio Connect setup, here’s the easy way.

Start by reading these links

Kerio link 1

Kerio link 2

The following setup is for Kerio Connect 9.x, and Windows Server 201X DNS server

  1. Make sure your email server is properly connected to a good public DNS server, such as Google (8.8.8.8 and 8.8.4.4.)
  2. Go to Kerio Connect, Configuration, Domains.
  3. Click SHOW PUBLIC KEY and copy it.
  4. paste it into notepad.  We’ll need to rework it a bit to be compatible with Windows DNS.  Note:  Windows DNS limits the length of one single string of characters, so we’ll need to split it into several lines.
  5. Reformat it like this.  Break it into even lines, around 100 characters each.  The exact length doesn’t matter.  Just do it evenly, hit enter at each breakpoint.
  6.  NOTE:  make SURE there is a SPACE between the semicolon and the p
    1. as in v=DKIM1; p=xxxx
  7. example properly reformatted
  8. Copy this reformatted string
  9. Go to the domain in your Windows DNS server.  For example, if your domain is mydomain.com go to that domain in the DNS Server management console.
  10. right click, other records, add TXT record
  11. Record name is:  mail._domainkey
  12. after you enter that, you will see the FQDN look like this:
    1. mail._domainkey.mydomain.com
  13. Paste the string from #7 above into the text box, as-is.
  14. Hit ok and save that change.
  15. repeat this for any other domain.  On Kerio Connect, all the domains on the one email server use the exact same DKIM keys.
  16. Now we are going to test the DKIM record to make sure it can be properly read.
    1. go to https://mxtoolbox.com/
    2. type in your domain
    3. hit check MX
    4. when that completes (successfully), change the drop down to “DKIM Lookup”
      1. type in your full DKIM string:
      2. mail._domainkey.mydomain.com.
    5. Run the DKIM Lookup
    6. You should see a successful test, and your report should look just like this:
    7. if it doesn’t look like this, then you did something wrong with your TXT record creation, or you forgot to put the entire DKIM key in the lookup.
    8. Since all is well, proceed.
  17. next, go back to Kerio Connect.
  18. while still on the domain, check the checkbox to enable DKIM
  19. If the DNS on your email server is setup properly, and it is communicating properly to your DNS server, you should see the box above.
    1. If you see a message “DKIM public key not found in public DNS”
    2. try restarting KMS
    3. Try going to a command prompt and ipconfig /flushdns
  20. Presuming that you do see the proper message in #18 above, we now need to do a test email to verify everything is working.
  21. Go to http://www.appmaildev.com/en/dkim
  22. click next step
  23. the site will generate an email address
  24. copy this email address and send a blank email to that address FROM AN EMAIL ACCOUNT ON THE DOMAIN you setup with DKIM above.
  25. Wait for the site to receive the email and generate it’s report (a few seconds)
  26. you should see DKIM = PASS

 

While you’re at it, don’t forget to create SPF and DMARC records for your domain to cover all the bases.