Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Using TLS 1.2 with Legacy versions of SpamSentinel on Windows 2003

            Created by Daniel Calkin, Modified on Tue, 6 May at 3:39 AM by Daniel Calkin

            Problem

            Configure additional local software to allow a server to make TLS 1.2 connections to SpamSentinel's Cloud Engines even if the server is running on an operating system such as WIndows 2003 which does not natively support TLS 1.2.


            Background Information

            A modern SpamSentinel for Domino installations includes two Windows services named SpamSentinel Duo 1 and SpamSentinel Duo 2 which handle much of the anti-spam and anti-virus scanning of mail messages.  The current versions of these services cannot run on Windows 2003, Windows XP or any 32-bit Windows systems.  For customers who install SpamSentinel to such systems, the installer configures SpamSentinel to not deploy the local copies of these services.  The configuration is set instead to connect via https to Cloud-based copies of these processes which are hosted on the Microsoft Azure platform.  We refer to these as the 'SpamSentinel Cloud Engines'.


            As of August 31, 2025 Microsoft Azure will stop supporting HTTPS connections that attempt to use an encryption level less than TLS 1.2.


            Solution

            There may be more elegant ways to solve this problem depending on you technical expertise and what other systems may be in your environment.  We have documented here one possible solution which can be use as-is or with additional configuration as desired for your environment.  This can also be used as a guide to better understand the problem if you decide not to use this solution and pursue an alternative.


            Our approach is to use stunnel which is a free application that has been around for many years and is widely trusted.


            1.  Download the Stunnel 32-bit or 64-bit installer.  


            You may need to use an older version depending on your system.  We chose Version 5.4.4 32-bit which can be downloaded here:  https://www.stunnel.org/archive/5.x/stunnel-5.44-win32-installer.exe


            2.  Install the software and configure as appropriate for your environment. 


            In our test case we installed stunnel directly onto the Windows server hosting Domino.  We used a very minimal set of configuration file contents which you can copy and paste to try for yourself.


            IMPORTANT NOTE about our example:

            This line should be set to a port not being used by anything else on your server.  Use your chosen port number throughout all the steps of this process.

            accept = 127.0.0.1:8081


            stunnel.conf

            ; Debugging stuff (may be useful for troubleshooting)
            ;debug = info
            ;output = stunnel.log


            ; Service section
            [http-to-https]
            client = yes
            accept = 127.0.0.1:8081
            connect = sscgw.maysoft.us:443

            sslVersion = TLSv1.2
            options = NO_SSLv2
            options = NO_SSLv3
            options = NO_TLSv1
            options = NO_TLSv1.1


            NOTE: When we were first configuring the application, we un-commented the 'debug' line and set it to debug = 7 so we could better understand what the application was doing.


            To test stunnel before installing it as a service, we recommend you launch the executable stunnel.exe as a foreground application.  This will allow you to see the console log data in real time and also check your configuration for errors.  use the 'Configuration / Reload configuration' menu item if you make any changes to stunnel.conf.


            Once you have the software up and running with the desired configuration, you can test to make sure it is effective by opening the local web browser on the server and navigating to:

            http://127.0.0.1:8081


            This should take you to a generic Microsoft IIS server welcome page.   If you see this, then you should be ready to continue.  If not, check your stunnel configuration, your networking configuration, firewalls or anything  else which might be interfering with the connection.



            If you have the console open you will see activity (more or less depending on the debug level) like this which shows that the local http browser connection was successfully reverse-proxied to the destination website using https on 443.



            Once you are certain your stunnel configuration is working you should install it as a Windows service if you haven't done so already.  Installing/uninstalling can be done from the command line:

            stunnel.exe -install

            stunnel.exe -uninstall


            3.  Reconfigure SpamSentinel


            Open the SpamSentinel Administration database and edit the Server Configuration document for your Domino server.


            Go to the tab 'Advanced' then open the sub-tab 'Port Options'


            Replace the value in the fields 'Engine Full URL #1' and 'Engine Full URL2' 

            Old value:  https://sscgw.maysoft.us/SpamSentinelCloud/api/scanj

            New value: http://127.0.0.1:8081/SpamSentinelCloud/api/scanj



            Save the server configuration document.  Send a test message to a Notes account from an external source such as gmail, yahoo, etc..  to ensure that mail is getting scanned and delivered.




            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0