Hi - are there any suggestions on how to resolve this issue.
We're seeing more and more Outlook email client users complaining that
they're no longer connecting to QMT7 IMAP to receive their mail. This
seems to have happened as a result of a recent Windows update.
On 10/13/2022 1:12 PM, Jeff Koch wrote:
Running the following command against our QMT mailservers shows:
openssl s_client -showcerts -connect mailserver.com:993
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8
0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f
I think this would indicate that our Dovecot IMAP supports TLSv1.2 and
should work with the Outlook updates. Am I missing something?
On 10/13/2022 12:27 PM, Quinn Comendant wrote:
The Windows system update on October 11, 2021 included a change to
disable TLS 1.0 and 1.1 by default.
* Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to
be disabled by default
* Windows support article: KB5017811—Manage Transport Layer
Security (TLS) 1.0 and 1.1 after default behavior change on
September 20, 2022
* Blog post: Windows 10: Beware of a possible TLS disaster on
October 2022 patchday
Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and
submission, but Courier IMAP only supports up to TLS 1.0. Results via
smtp and submission
|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered
(deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS
1.3 not offered and downgraded to a weaker protocol |
|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered
(deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded
to a weaker protocol TLS 1.3 not offered and downgraded to a weaker
protocol NPN/SPDY not offered ALPN/HTTP2 not offered |
Because the error should only occur when TLS 1.2 is not available, I
think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.
started by Janno Sannik a couple years ago contains some hints how to
upgrade or replace Courier for better TLS support.