Updated: March 6, 2024
We are excited to announce a significant update to Axigen, starting with version 10.5.12, where we are transitioning from OpenSSL 1.1.1 to OpenSSL 3. This change is crucial for enhancing the security of your Axigen deployment. In this blog post, we will explore the reasons behind this move and its impact, as well as provide guidance on how to smoothly transition to the new version.
Why OpenSSL 3
OpenSSL 1.1.1, a cornerstone of our security infrastructure, has reached its end-of-life as of September 11, 2023. As a result, it will no longer receive publicly available security fixes beyond this date. To ensure the continued robustness of our security protocols, we are upgrading to OpenSSL 3, which brings improved security measures and sets the path forward in order to address future vulnerabilities.
Why OpenSSL 3 Is Only Available in X5 (10.5.12+)
Axigen X5 uses a completely new infrastructure for handling embedded libraries and adopts Bitdefender AntiMalware and AntiSpam, replacing the outdated Cyren solution. Due to the significant differences, supporting OpenSSL 3 in the Axigen X3 and X4 versions would be very challenging, leading us to include OpenSSL 3 exclusively in Axigen X5. We strongly encourage all users to upgrade to Axigen X5 for enhanced performance and security.
Potential Impact on Your Axigen Deployment
OpenSSL 3 comes with hardened security at core.
On the other hand, the email space, where Axigen operates, presents a unique landscape marked by diversity and legacy systems.
The ongoing discussion within our team regarding the delicate balance between security and usability has led us to embrace the spirit of the OpenSSL 3 hardened security, aligning our practices with the enhanced measures introduced by the new version. This decision reflects our dedication to providing a secure environment for your communication infrastructure, but it also means that certain functionalities of current Axigen deployments may experience an impact. Further details on the specific changes and the services potentially affected can be found below.
1. Default Disabling of TLS 1.0 and 1.1
Following the formal deprecation in RFC 8996, TLS 1.0 and 1.1, along with associated ciphers, are now disabled by default. This affects service listeners (SMTP, IMAP, WebMail, etc.) and internal SSL clients (LDAP, Remote POP, IMAP migration, SMTP sending).
2. Default Certificate Validation
In alignment with OpenSSL's security enhancements, SSL certificates will now be more extensively validated: if a certificate's validity date has expired, the subject does not match the actual domain name, or the certificate authority is not trusted, the connection will not be established. This includes test clusters using self-signed certificates.
3. Deprecation of Unsafe Legacy Renegotiation
Legacy renegotiation, associated with TLSv1.2 and earlier, is deprecated in OpenSSL 3. This impacts various services, including LDAP, RPOP, IMAP Migration, SMTP Sending, SMTP Receiving, POP3, POP3 Proxy, IMAP, and IMAP Proxy.
Test the New Version to Identify Tuning Needs
Before upgrading to Axigen 10.5.12 with OpenSSL 3 in a production environment, we strongly recommend testing the new version on a dedicated platform. This ensures a smooth transition and allows you to address any issues that may arise during the testing phase.
If you’re encountering any issues or need to further fine tune some of the settings, please seek assistance from our tech support team.
Frequently Asked Questions
1. How does OpenSSL 3 improve email security and help achieving trustworthy email requirements (compared to OpenSSL 1.1.1)?
Trustworthy email, as defined by the NIST Special Publication 800-177 Rev. 1 cover a wide range of requirements and recommendations to harden and strengthen the email security of your email server.
OpenSSL 3, in particular, helps addressing some of them through:
- Updated Cryptographic Standards: OpenSSL 3 adheres to the latest cryptographic standards, offering advanced algorithms for encryption, which enhances the security of email in transit.
- Enhanced Algorithm Support: It supports stronger and more secure cryptographic algorithms for hashing, signing, and encryption, which are crucial for secure email exchange.
- Protocol Security Improvements: By deprecating outdated protocols like TLS 1.0 and 1.1, and enhancing support for TLS 1.2 and 1.3, OpenSSL 3 ensures secure transport layers for email servers.
- Improved Configuration Options: Offers more secure default configurations and the ability to disable legacy features, reducing the attack surface for email servers.
At Axigen, we place significant emphasis on email server security, continuously updating our product against evolving threats. To understand how these updates enhance your email server security, see our Internal Security Update Beginning of 2024.
2. Can existing Axigen configurations and customizations be automatically migrated to OpenSSL 3, or will manual adjustments be necessary?
Regarding the migration of existing Axigen configurations and customizations to OpenSSL 3, the process might not be entirely seamless and could require manual adjustments.
While versions starting with Axigen 10.5.12 support OpenSSL 3, differences in cryptographic algorithms, security policies, and API changes between OpenSSL 1.1.1 and OpenSSL 3 may necessitate reviewing and updating configurations to ensure compatibility and maintain the desired level of security. It's important to carefully test your specific configurations in a controlled environment before applying these changes to your production systems.
3. What specific steps should I take when testing 10.5.12+ with OpenSSL3 on a staging platform to ensure a smooth transition?
To test Axigen 10.5.12+ with OpenSSL 3 on a staging platform before full deployment, you should first set up a test environment that mirrors the production setup as closely as possible.
This includes installing the new Axigen version, configuring it according to the production specifications, and then conducting a series of tests. These tests should cover all aspects of the email system's functionality, including sending and receiving emails, SSL / TLS encryption, authentication processes, and any custom integrations or scripts.
Monitoring the system for any errors or performance issues during these tests can help identify any adjustments that need to be made before migrating the production environment to the new version. This ensures that potential issues can be addressed in a controlled manner, minimizing the risk of disruptions to email services during the upgrade process.