wehuberconsultingllc.com

In the first installment of Adventures with iRedMail I got it to send emails but I left the MS Exchange integration for another day. Since then I have updated my DNS zone with the DKIM information, set up local DNS information, decided on naming standards, and reconfigured Postfix several times before I got it right.

Updating the DNS with DKIM information

This task was relatively easy. I copied the DKIM information in the iRedMail.tips into a trouble ticket with my web provider. About 24 hours later it was ready to test. I sent an emails to my Yahoo account, sa-test@sendmail.net, and autorespond+dkim@dk.elandsys.com. Although the email from dk.elandsys.com was the first to respond, it said it did not work. When I checked my Yahoo account the headers said the email was signed correctly with DKIM. Ironically the return email from sendmail.net ended up in my Junk Mail folder. It said that everything worked correctly. For one more test I created a Gmail account and sent an email to it, too. It said the email was signed correctly.

Local DNS, naming standards, and more Postfix problems

The next challenge was to configure Postfix to accept both local email addresses and email addresses for the exchange server under the same domain. I used PostFixAdmin to create Aliases that pointed to the Exchange server emails(e. g. myemail@mybusiness.com points to myemail@mybusiness.local). PostFix complained about the DNS records for my Exchange server so I added mybusiness.local as a relay_domain and set up a psuedo DNS so that PostFix can find the IP address for my Exchange server. In my case I decided to let my pfSense firewall act as a local DNS server to serve up the local IP addresses. At this point I can email to everyone from a local iRedMail account but I cannot get replies until I set up iRedMail as the SMTP gateway and the Exchange server as a relay domain.

PostFix domain checks get me again!

It took me a long time to figure this out. When I changed the firewall to redirect SMTP traffic to the PostFix gateway I could not get any mail. I thought I had messed up the firewall settings so I kept trying different settings. I was pretty limited with my testing tools. If I could Telnet into port 25 I could see what is happening but I could not make the connection work as long as I was located on this side of the firewall. Fortunately I found a solution on the Internet. The dnsqueries.com site provides a page, http://www.dnsqueries.com/en/smtp_test_check.php, that allows me to check my local SMTP connection using their server.  Within minutes I figured out that my email server did not like my sender’s domain. In fact it did not like anyone’s domain. This was the same type of problem I had with the Postfix recipient domain check, so I removed the sender domain check and the emails starting flowing.

What have I achieved?

• I have a gateway that checks all incoming mail for spam and viruses. Postini offers a similar service for about $1 per user per month. We use MXLogic at work.
• I have an alternate email server that allows me to send email that passes the SPF and DKIM checks. One of the reasons I investigated iRedMail was to use it for sending out a newsletter at work. Like many Internet retailers we get a chunk of our business as a result of our biweekly newsletter. In our case DKIM is another piece of the puzzle to improve our sender reputation. Since both Yahoo and Gmail require DKIM signing in order to set up feedback loops, DKIM is probably essential if you have ambitions of having a pristine email list. For those folks looking at ways to cut the umbilical cord to Microsoft this is one of several low cost, low maintenance migration alternatives to a local Exchange server.

I read this article on HowtoForge and decided to give it a try. I was not as successful as the author.

iRedMail: Full-Featured Mail Server With LDAP, Postfix, RoundCube, Dovecot, ClamAV, DKIM, SPF On CentOS 5.x Debian (Lenny) 5.0.1

iRedMail is a shell script that lets you quickly deploy a full-featured mail solution in less than 2 minutes on CentOS 5.x and Debian (Lenny) 5.0.1 (it supports both i386 and x86_64).

iRedMail: Build A Full-Featured Mail Server With LDAP, Postfix, RoundCube, Dovecot, ClamAV,SpamAssassin, DKIM, SPF On CentOS 5.x | HowtoForge – Linux Howtos and Tutorials

My first try was to use the script to update a Centos 5.3 workstation installation. It went smoothly until I tried to update look at the keys used by DKIM. I ran into trouble with the LDAP option. OpenLDAP would not install do to a missing file. So I took the Mysql option. That was when I found a series or problems. Most of the problems were minor. My initial mail userid used Chinese. Since I was particularly interested in DKIM I was disappointed to find out that Amavisd was running at a version that did not support DKIM. I quickly realized that this was taking too much time and a better solution was to install a virtual machine using the iRedOS. This is a Centos 5 installation with all of the prerequisites already installed.

Creating a virtual machine mail server went pretty smoothly. The only problem I found with the installation was that I was unable to send mail. I quickly realized that I needed to install Webmin so I could perform normal system maintenance and troubleshoot. After I installed Webmin I found my problem. Postfix thought Yahoo was an unknown domain. Although I am not familiar with intricacies of Postfix I found that if I removed the configuration parameter “reject_unknown_recipient_domain” I could send emails successfully. This is a not a fix but it will work for me until I figure out the problem between the DNS and Postfix.

My next trick is to set up the mail server as a mail relay to my Exchange server. Technically this could be a first step in migrating off of Exchange to a non-Microsoft cloud computing environment. There are a lot of good things to be said about Exchange but there are even more good things to say about cloud-based email. Making the transition to a low cost, highly dependable, feature rich email environment with the least amount of pain is the challenge for both the Microsoft and open source communities.

It has been a long time since I actively worked with Microsoft’s ISA Firewall so it took me some time to fix this problem. Buy.com periodically offers a 3 computer version of McAfee at a very cheap price. Since I am somewhat ambivalent about the merits of one virus checking software over another, I bought a copy to replace a TrendMicro version up for renewal. The installation did not flag any errors or warnings so it took about a week before I noticed that the patterns had not updated. Yesterday I decided to fix the problem and write down for posterity how I accomplished it.

Unlike many firewalls Microsoft’s firewall typically restricts anonymous access. This typically is not a problem for most applications that run on Windows computers since the users are logged into the Active Domain. Occasionally there are applications that fail to connect to the internet despite the user being logged into the domain. Most of the time you need to open some non-standard ports to fix the problem. In this case McAfee is using standard HTTP and HTTPS ports and still failing to connect.

The solution is to create an anonymous access rule to the McAfee update site and to configure the client to not use the ISA Firewall client for these sites. One way to accomplish this  is to configure Internet explorer(Tools-Internet Options-Connections-Lan settings-Advanced) to not use the proxy. This is the way I got McAfee to update. Another way is to configure the properties for the internal network in ISA to use direct access for these sites. You can configure a GPO, too.

Last weekend I took the plunge and installed Windows 7 RC. The hardest part was freeing up some disk space and partitioning the hard drive. After a few defrag runs I was ready to partition. Dual booting is the way to go. There are no special tricks. Just let Windows 7 install in the unpartitioned space. The installation was pretty uneventful. My laptop is about three years old, it has 2 GB of ram, and it passed the Windows 7 compatibility check. The installation found drivers for everything although it had to get the Ricoh drivers off of the Internet.

The part I was most interested in was what would I install first. The first four programs were were the virus checking software, FeedDemon, Windows Live Writer, and Flash. I chose a trial version of AVG available at http://free.avg.com/download-avg-anti-virus-free-edition. I like AVG but it triggers a PC issue message in Windows 7. I guess AVG and Windows have a few things to work out. It did not take to long after running FeedDemon that I ran into a web page requiring Flash. When I decided to write a post about my Windows 7 experience I installed Windows Live Writer. To setup Windows Live Writer I needed KeePass since that is where I store my passwords.

To transfer files from Window XP into Windows 7 I am using two methods. With the first method I created a shared folder at the root of the Windows 7 drive and copied files into the folder using XP. I could not browse the XP version of the “My Documents” folder using Window 7  and was not into the “take ownership” thing. The second method uses Dropbox.

So far my experience has been very positive. The interface is nice and the computer seems as fast as it was under XP. I think Microsoft has a winner if they price it right. The interface of Linux and the Mac are nice, too!

This all started out when I noticed that I had left my Blackberry USB cable at work. Since the Blackberry USB is pretty unique I would have to go find my Blackberry charger to charge my phone. That got me to thinking that this might be a good time to setup my WiFi and Bluetooth connections. Setting up the WiFi connection was simple and uneventful. Now I have faster web browsing on my phone while I am in my house. Setting up the Bluetooth connection was not that easy.

Shortly after I purchased my laptop three years ago I decided to add a bluetooth card. My thought at the time was to use a bluetooth headset for VoIP phone calls. The VoIP project did not work out so I turned off  the bluetooth card. What I remember of that work was that I had to install the Toshiba bluetooth stack to make the bluetooth connection work. I do not remember ever getting the Microsoft bluetooth software to pair up with the bluetooth device.

So I go into the Toshiba software and turn on the bluetooth card. Within about five minutes I have my Blackberry 8900 paired up with my laptop. Everything looks so slick! I have visions of a tethered laptop. One last test remains. I cranked up the Desktop Manager and started the bluetooth configuration. Lo and behold, the Desktop manager cannot find a bluetooth device! I’ve got a paired device. What do you mean you cannot see it?

After some research I find out that those fine folks at RIM only work with the Microsoft bluetooth stack. Well that sucks! So I removed the Toshiba stack and rebooted. After it finishes rebooting, I try to pair up. The Microsoft software cannot find any bluetooth device. I seem to remember being in this position once before.

After a little more research I find this post, BostonPocketPC – Remove Toshiba Bluetooth Drivers and Install Microsoft Bluetooth Stack. Although I do not use the Vista operating system, the author implied that there were new bluetooth drivers from Microsoft and the easiest way to install them was to install a recent version of Intellipoint. I installed Intellipoint and nothing changed. The drivers still had a 2-001 date. It looks like I am still using the old drivers. So I deleted the existing bluetooth device configuration in the Device Manager, turned off my WiFi and bluetooth(Fn F2), and rebooted. When XP rebooted it found the bluetooth card and installed the new drivers. Although my phone could not be found using the normal bluetooth(PAN) search, it was found using the control panel version. My Blackberry 8900 is evidently an “other” bluetooth device. Within a few minutes I was paired up and synchronizing my contacts. I am still a little miffed that I cannot manage my media files but it works for basic synchronization. I suspect that is on the ToDo list for the developers at RIM. Wow, that took a lot longer than I expected!

Correction 4/26/09

This morning I checked the bluetooth synchronization again and the Microsoft stack does not pair up. I guess I am going back to the Toshiba stack. At least it works as a modem!

PrtScr

I was just about to pan PrtScr until shortly after I installed it I wanted to add a copy of an embedded Flash animated graphic. Foolish me! My first choice was to make a PDF of the web page. It turned out to be a terrible choice.  The original chart had subtle shades of red. The PDF had one big blob of red. Score one for PrtScr. Selecting a rectangular area was a bit of a challenge on my laptop. I had to press on the Ctrl Key and the left mouse button while marking the area. I wish I could remap the PrtScr keys. Snag_It appears to be the favorite but it costs money.

Quotepad

I thought I would have an immediate use for Quotepad. It looks promsing. I use Cut-and-Paste often at work but I have not used QuotePad yet beyond the initial trial. Keeping Clipboard history is a favorite requested feature for a lot of users and there are a lot of competitors in this area.

uSbuntu

I found uSbuntu on HowtoForge and it looked promising, too. A bootable Ubuntu that could also work under Windows. Too bad I was not able to get it to boot under Windows. It kept complaining about memory problems. Portable VirtualBox looked promising at first because it is so slim compared to VMServer. Too bad I never got it to boot completely.

Portable Ubuntu

I found Portable Ubuntu on Lifehacker. Portable Ubuntu installed with a minimum of problems. It was easy to install and in my limited testing, it worked without a fuss. My biggest problem is that I really don’t have a real use for Ubuntu. One of the areas Linux excels in is network testing. Backtrack3 is my favorite in this area but I have to reboot. So as an extra test I decided to install a Nmap variant called knamp. It installed and it worked. Not bad!

Every so often you find a tool you have never heard of.  This week the tool that caught my attention was  Performance Analysis of Logs (PAL). It was recommended by Bruce Mackenzie-Low in a newsletter from SearchWindowsServer.com and it looks it will be helpful with the “art” of performance analysis. I played with it a little bit using the IIS and SQL templates. It seemed to provide some helpful insight into potential performance issues. My aim is to analyze our web server for IIS and database bottlenecks.

Last year I finally got around to installing pfSense 1.2 and some packages. Last week I decided to upgrade to the latest release. I chose to use the command line version of the upgrade process and it worked great at updating the base package. The upgrade documentation is a little fuzzy about updating the packages. When I logged into the administrative panel the firewall started to upgrade the packages. That kind of worked but most of the packages I checked were not working after the upgrade. I tried to manually update or uninstall SNORT but it ignored me. So I rebooted the firewall.

As the firewall came up the second time, it upgraded SNORT. After logging into the administrative panel again, I saw that NMAP worked. Okay, that’s a step forward. Next I tried NTOP but the screen would not come up. Thinking it might have forgotten the configuration settings, I configured NTOP. It worked. Next I installed Open-VM-Tools since I run my firewall as virtual machine. Finally I tried SNORT. I could configure it but it still had problems downloading rules. This was the problem I had previously under 1.2 so I uninstalled SNORT. Everything seems to be working so it is probably safe to forget it for a couple more months.

I gave the Portable Ubuntu program a run today. I manually extracted the files using 7Zip since the executable had an error when it extracted the files. Then it took about three runs before my firewall, Comodo, and I agreed on the executables to unblock. I did get Portable Ubuntu to burp and stick my PC with a task using 50% of the CPU. Restarting Portable Ubuntu fixed that problem. Other than the burp, the performance was adequate. The biggest problem is I am not sure what I would use it for. A Portable BackTrack 3 might be more interesting since it has Linux applications I am interested in using occasionally.

Windows only: Free application Portable Ubuntu for Windows runs an entire Linux operating system as a Windows application. As if that weren’t cool enough, it’s portable, so you can carry it on your…

Portable Ubuntu Runs Ubuntu Inside Windows [Downloads]
Kevin Purdy
Fri, 03 Apr 2009 22:00:00 GMT

I fixed the IE8 Compatibility Problem I talked about previously. The login screen was missing some of the most basic HTML tags. I have seen several early ASP files that ignored the basic HTML tags and page structure. Since the page worked with the current browsers there was no need to fix it even though it had HTML validation errors. I am not sure which missing tag caused the problem but adding the <html>, <head>, and <body> tags fixed the problem. 

I made a couple of minor changes to the provided script and I got Script all data of a table – SQLServerCentral to work with SQL 2000. I like the idea of creating scripts to transfer/update/re-create tables. I have been using Excel to create scripts to update shipping costs for some time. Nice work Florian!

Windows only: Free application DropboxPortable makes the popular file-syncing application thumb-drive friendly, so you can access your synced bucket from your thumb drive no matter what computer you’re using.

Downloads: DropboxPortable Syncs Files to Your Thumb Drive

I finally gave this program a test run and I was pleased with the results. Recently I split up my KeePass password database into three databases, work, charity work, and personal. I kept a copy of the files on a USB dongle so I could deal with the occasional emergency at work or at home.  I used SyncToy to keep the files  synchronized but I have screwed up on more than one occasion and updated the passwords in two locations without synchronizing first. DropBox has the potential to eliminate that problem. I am slightly uncomfortable with storing a strongly encrypted password file in the cloud but I am pretty sure there are much easier ways of getting my passwords than cracking this encryption scheme.

I have been pretty busy this year with a move to a new warehouse so I did not get around to checking IE8 out until last week. So I installed the released version of IE8 for a quick checkout. It is scheduled to go on automatic updates in late April. The first screen I tried failed. All I got was a blank screen. No error messages at all! We use this screen to login to the administrative side of our web site. It is a classic ASP page with HTML validation issues that was written long before I got here. I tried to quickly fix the HTML validation errors but ASP barfed up some cryptic error codes with the HTML fixes I tried. So I am leaving this nugget for next week while I work on the issues my boss is most concerned about. Since I am old, I have a few rules about computer programming maintenance that keeps management happy with me.

• Rule #1 – Don’t fix things that are not broken.
• Rule #2 – Don’t fix things that they do not ask you to fix.

Until last week both of these rules applied.

A week ago my old cell phone, Blackberry 7100 died. It would no longer boot. Although I was interested in the iPhone and Android the biggest features I use other than the phone features are the email and web browsing. After using the 7100 for several years the feature I yearned for than anything else was a full keyboard. It is really painful to reply to email and surf the web without a full keyboard. The keyboard issue dropped the iPhone out of the mix. Of the phones with a full keyboard, the Blackberry 8900 was the safer choice for a Blackberry user. Due to contract complications that the store could not resolve, I had to order my phone directly from T-Mobile. So I put my SIM chip in an old Nokia I had forgotten to recycle and ran as a regular cell phone for a week. Last Friday I finally received the phone and synchronized it with Outlook. That was good timing since I had to make an unscheduled out of town trip on Saturday. My father died. He had been in the hospital for over a year battling MRSA. He won that battle with MRSA but he lost the war. This week the rest of his organs started failing.  By the time I got on the road the diagnosis was that he would not see another sun rise. The hospital had given him a sedative to make him more comfortable. He died before I got there. When I got to my parents house my nephew was still trying to hack into my mom’s wireless router. She had recently gotten broadband access and did not remember anyone giving her the passphrase. I quickly read my email to make sure that nothing bad was happening and then got back to the real meaning of the trip.

For the last couple of months I have been trying to fix an old ThinkPad that failed on us. It was a low priority item but we were pretty sure we would need it fixed eventually. In an unfortunate sequence of events the battery ran down, the LCD failed, and the disk/registry got corrupted. Under most circumstances we would buy a new laptop and re-install the necessary programs. In this case we pretty sure there were some custom programs on the laptop we would need in the future. I had a backup of the data but I did not have a plan for re-installing the custom programs. Frankly none of us knew what programs we needed to save.

With the beginning of the new year I was informed that one of the custom programs that existed only on the laptop was a custom interface to QuickBooks and a SQL database. It was used in reconciling annual inventory and we needed to reconcile the inventory for tax purposes. The Boss had been thinking ahead and bought an almost identical ThinkPad laptop off of eBay. The plan was to take the old disk drive and put it in the newly acquired laptop. So I made an image copy of the drive, inserted the drive into the laptop, and then booted the laptop. Within a short period of time I was looking at a BSOD, Registry Error. So I tried to repair the installation using the XP installation disk. I surprised when it gave me a BSOD, too. Since re-installing the programs was an option we did not want to pursue at this time, I went searching for a way to repair the corrupted registry. I found this Microsoft Knowledge Base article, How to recover from a corrupted registry that prevents Windows XP from starting.

I had never seen this KB. Over the years I had almost no success going back to the last known good configuration so I was game. I followed the instructions and restored to an old system restore point. When I booted all of the installed programs worked as expected! This would have been the end to the story but after the laptop was running for awhile I started getting BSODs with a PFN_LIST_CORRUPT error message. A quick search of the Internet said this error was frequently associated to memory errors so I booted off my copy of the Ultimate Book CD for Windows and ran Memtest86. Sure enough, I got a bunch of memory error messages. I tried to swap out the memory but I kept getting memory error messages. This was not good! This laptop was bought to fix problems not replace old problems with new problems. In a strange turn of events I finally solved this problem by taking the drive out, putting it back into the old laptop, and hooking up a spare monitor to the laptop. It is not the way we wanted to run the system but it works. Hopefully we will finally migrate all of the important stuff off before we need to use it again.

I found myself troubleshooting a Verizon PC5470 wireless broadband issue today. This setup worked a couple of months ago when I last touched it. When my boss inserted the PC5470 card into his PC, the VZAccess Manager software could not talk to the card. We noticed that his PC would create two NEC PCI to USB Open Host Controller when the card was inserted and the device manager showed that a Curitel modem was unknown.  At the time I did not know what the Curitel modem was used for. When the card was installed on another PC only one NEC PCI to USB Open Host Controller was created and VZAccess manager was able to create a wireless broadband connection. After exhausting my troubleshooting tricks I found this conversation on the Internet, NEC PCI to USB Open Host Controller – Everything USB Community.  Although my solution was different than their recommendation, their ideas helped lead me in the right direction. My solution was to uninstall both NEC PCI to USB Open Host Controllers and force Windows to re-install all of the drivers. Disabling or uninstalling one driver did not work for me. When I inserted the PC card, Windows proceeded to re-install the drivers as expected. First it installed two NEC PCI to USB drivers. Next it tried to install the Curitel modem driver. During this process the PC announced that it was disabling a hardware device. When the driver installation was complete the Device Manager showed that the second PCI to USB driver was disabled and the Curitel modem was installed and functioning. When I started the VZ Access manager it found the PC5470 and configured itself to use the Curitel modem.  After a little bit more automatic updating by VZ Access manager, we were able to establish a wireless broadband connection. Whew!

When you are grateful you have a job you can’t be picky about the applications you support. This week I spent a lot of time on my one of my least favorite applications, credit card processing. To give you a little background I was not employed at the firm when it was originally installed in 2007 so almost everything I hear is secondhand. The application is pretty simple and it runs on its own computer. It downloads credit card orders from our orders data base, transfers the authorizations over to the bank, and then updates the orders data base. Despite its relative simplicity I hear that the application was a painful install with lots of support issues. The folks before me got it to work and it seemed to be working okay until the the middle of 2008. That was when intermittent response time problems started to crop up. Attempts at technical support lead us down that primrose path again without success. The folks in technical support recommended we re-install the software but they really did not have an explanation for our response time issue. The statement that sent us in a completely different direction was when they said that our transaction volume was too large for their application. Our bank took that statement back a week later but the damage was done. The bank and the credit card processing application were going to be replaced.

This fun and games started when the credit card processing computer rebooted after the “Patch Tuesday” updates. It came up okay but it was coming up with strange errors during credit card processing. At first we could not process any credit cards but we finally got the cards processed. Since it was “working” I did not look at the problem until Friday. That was when I found out that the problems had continued on every morning and it had reached the critical stage. After spending three hours of “quality time” with an upset user(my boss) getting the credit cards processed, I was convinced that there was more to this problem than “Patch Tuesday” problems and I was determined to fix the problem today.

It did not take too long before I found a disk corruption problem. It looked like DISKCHK might fix the problem so I needed credit card processing folks to complete the end of day tasks so I could take an immediate backup and reboot. So at 530 pm on a Friday evening we rebooted. The computer would not reboot. I tried safe mode and it would not reboot. I tried to boot from a CDROM and it would not reboot.  I called the boss to let him know. He said he would meet at the office on Saturday morning. This had a really good chance of being a super catastrophe. Oh well! There goes my weekend!

On Saturday it took us about an hour to identify the problems. The boss actually found the problem. I heard a unusual spin up sound on either the disk drive or a fan.  My little power supply tester showed we were missing –5v. I installed a new power supply and now we could boot off of the CDROM. Unfortunately now that we could boot up properly we could confirm that the disk drive was trashed.  So I installed a new drive. About two hours later I had completed re-installing the operating system and the application from my backup. An hour of testing confirmed that we would be able to process credit cards on Monday and the business would continue for another week. This is probably the first time I have seen a double failure on a PC.

We may be a little bit late to the Christmas party, but late is usually better than never. In this post we release a very compact, magazine-like theme designed especially for events such Christmas. We hope that the theme may be useful not only for this Christmas, but can also be used in general, for various purposes. This theme was designed by InstantShift as an exclusive Christmas gift for Smashing Magazine readers.

Christmas WordPress Theme For Free Download | Freebies | Smashing Magazine

A big thanks to the folks at Smashing Magazine and InstantShift for offering a free Christmas theme. The festive mood of the theme motivated me to embark on a web site conversion over the weekend. I had been meaning to switch our farm web site, www.legacyfarmltd.com, from phpWebsite to WordPress for several months but I always found a reason to not work on it. Installing WordPress 2.7 and the Christmas theme was almost effortless compared to the process of duplicating old posts and pages. It was nice that they included the PSD for the logo. I cranked up my portable copy of GIMP and after a few minutes of re-learning GIMP/PhotoShop I had a custom logo that fit the Christmas theme. Although I will have to change the theme in the next few weeks soon since Christmas is over, the theme layout and fonts look like a good base to work from.

I had not looked or touched my “dogfood” server in a long time. It appeared to be happily doing it’s thing. Appearances can be deceiving. I found that my scheduled jobs were not running according to the schedule. I had about a dozen jobs with the “Could not start error” message. What a mess! I am not sure how this happened but the fix is easy. Just enter the password again!

How to troubleshoot scheduled tasks in Windows XP and in Windows Server 2003

This week I disabled weak ciphers on our production web server. This vulnerability was escalated again this last week. This vulnerability exists when your server allows communication using SSL version 2. Less than six months ago it was identified and classified as a low risk. SSLV2 is obsolete and is not available in some of newer browsers. Most new browsers use SSLV3 by default and it is my best guess that no customer is using SSLV2. A quick survey showed that most of the major ecommerce sites do not allow SSLV2. Despite the survey my boss was reluctant to turn off SSLV2. That was solved when the PCI folks mandated that SSLV2 should not be allowed. This may sound cruel but if a customer is using a really old browser that only supports SSLV2, they must update to a new browser if they want to buy stuff off of the Internet. That just the way it is.

Here is a good resource describing the problem and how to harden a variety of web servers, “WebApp Sec: RE: SSL Ciphers”. Since I was primarily interested in IIS I used “How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll” and created a registry file to apply the changes. Here is the registry file I used. It works with all of the browsers I test with. Both Foundstone SSL Digger and our PCI scan folks like the results.

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000