Forum Home

Replying to a message from: Anonymous

Thank you for your response. I will get an email out or call you a little later.

As you say, for the viewers sake;


I completely understand the socket is created which is why I was mentioning in my earlier post that it must be creating a second connection in order for this implementation to work. It is most certainly not proxying everything in one stateful connection. 

If this was the case, why are you allowed to use the same certificate from a different server detailed on your site here [http://www.xeams.com/using-iis-cert.htm] with no mention that the the certificate name must include the Xeams server as an alternative name? The TLS session would fail on validation tests if the hostname used in your IIS certificate server example above was different to your Xeams server hostname. Your site needs to mention this or at the very least mention explain that only wildcard certificates would work using those instructions. Give it a try. Export a certificate with an alternative hostname [server-name] and import it into your Xeams lab server then run a TLS session with Xeams and let me know what you guys get. In theory it would work if both machines had the same name OR it was on a SAN certificate OR you used a wild card but thats all. 

Another example is if you shutdown your Exchange server and run the same test at checktls.com you will find that the maximum the senders server can do is connect to Xeams but no TLS will take place and the test will fail. This is another indicator that Xeams is not properly implementing TLS according to standards or for that matter according to the way your explanation is.
If a socket was created (IP:Port) then at least a secure session should start and then fail on the relay of verbal messages / debug which does not occur. Give it a try for yourselves.

I'd also like to add that if Xeams was doing the TLS with the sending mail server and then opening a new socket with for delivery exchange, why cannot this new connection be in TLS too? A simple proxy ARP or ARP-on-behalf spoof could ultimately catch all the email data for inspection between Exchange and Xeams as it is unencrypted.

I am a little sceptical about the security of certificates being installed on Xeams servers.

Could you guys please clarify further?

Thank you,
James