On May 31, 2020 6:36:52 AM GMT+02:00, Mark Constable <[email protected]> wrote:
>I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.
>
>A few months ago there was an update to all these systems and since
>then I've had to talk W7 and old Mac clients through disabling ports
>993/995 with TLS enabled back to ports 143/110 without SSL or they
>could not pick up email. Thunderbird users (ie; me) were unaffected.
>
>Could anyone share a set of port 993/995 SSL settings known to work
>with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?
The best would be to upgrade your clients to a more current OS that supports
those ciphers or change the mail client to something that ships it's own
SSL/TLS implementation like Thunderbird.
I would under no circumstances allow access without TLS.
You could also switch back to an older version of Ubuntu / openssl which in
turn would allow the old clients to use SSL/TLS again.
This would allow for an extended time period getting those clients to upgrade
their OS.
>Mine is currently...
>
>ssl_ca = </etc/ssl/certs/ca-certificates.crt
>ssl_cert = </etc/ssl/example.com/fullchain.pem
>ssl_dh = # hidden, use -P to show it
>ssl_key = # hidden, use -P to show it
>ssl_options = no_compression no_ticket
>ssl_prefer_server_ciphers = yes
>
>I have commented out ssl_cipher_list, ssl_min_protocol and others to
>get back to whatever the defaults are so I am not simply guessing what
>the optimal settings would be to cover Win7 and up.
Nevertheless you're up to a good amount of work, for Win7 I found this [1] that
links to MSDN [2] where it states:
TLS 1.1 & TLS 1.2 are enabled by default on post Windows 8.1 releases. Prior to
that they were disabled by default. So the administrators have to enable the
settings manually via the registry. Refer this article on how to enable this
protocols via registry: https://support.Microsoft.com/en-us/kb/187498
I haven't tested this as I don't have a Win7 installation available.
>Yes I know Win7 is no longer supported but that does not help the 100s
>of older users I have that can't/won't upgrade their computers.
There will probably be more problems relating to old OS and unsupported SSL/TLS
versions in the future.
Good luck.
[1] https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility
[2]
https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/
--
Christian Kivalo
