Running the following command against our QMT mailservers shows:
openssl s_client -showcerts -connect mailserver.com:993
------------------------------
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
7DF738EE6BD9096B6CAE8047C4FBE4A980227BBBA7BBCD940BCE1BC4CE5ABA17
Session-ID-ctx:
Master-Key:
42D30E9F7D9185EC883D188F298901335359D2298CDD74D93CE83C0EDA8478E331F2E9C57F70CBED7F8963C0B866D874
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8 R9.\.qqL%...ONq.
0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f [email protected].~K.
----------------------------------
I think this would indicate that our Dovecot IMAP supports TLSv1.2 and
should work with the Outlook updates. Am I missing something?
Jeff
On 10/13/2022 12:27 PM, Quinn Comendant wrote:
The Windows system update on October 11, 2021 included a change to
disable TLS 1.0 and 1.1 by default.
* Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to be
disabled by default
<https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/>
* Windows support article: KB5017811—Manage Transport Layer Security
(TLS) 1.0 and 1.1 after default behavior change on September 20,
2022
<https://support.microsoft.com/en-us/topic/kb5017811-manage-transport-layer-security-tls-1-0-and-1-1-after-default-behavior-change-on-september-20-2022-e95b1b47-9c7c-4d64-9baf-610604a64c3e>
* Blog post: Windows 10: Beware of a possible TLS disaster on
October 2022 patchday
<https://borncity.com/win/2022/10/11/windows-10-achtung-vor-einem-mglichen-tls-desaster-zum-oktober-2022-patchday/>
Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and
submission, but Courier IMAP only supports up to TLS 1.0. Results via
testssl.sh:
smtp and submission
|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered
(deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3
not offered and downgraded to a weaker protocol |
imap
|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered
(deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded to
a weaker protocol TLS 1.3 not offered and downgraded to a weaker
protocol NPN/SPDY not offered ALPN/HTTP2 not offered |
Because the error should only occur when TLS 1.2 is not available, I
think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.
This thread
<https://www.mail-archive.com/[email protected]/msg43073.html>
started by Janno Sannik a couple years ago contains some hints how to
upgrade or replace Courier for better TLS support.
Quinn
