Hi - are there any suggestions on how to resolve this issue.

We're seeing more and more Outlook email client users complaining that they're no longer connecting to QMT7 IMAP to receive their mail.  This seems to have happened as a result of a recent Windows update.

Jeff Koch

On 10/13/2022 1:12 PM, Jeff Koch wrote:
Running the following command against our QMT mailservers shows:

openssl s_client -showcerts -connect mailserver.com:993

No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7DF738EE6BD9096B6CAE8047C4FBE4A980227BBBA7BBCD940BCE1BC4CE5ABA17
    Master-Key: 42D30E9F7D9185EC883D188F298901335359D2298CDD74D93CE83C0EDA8478E331F2E9C57F70CBED7F8963C0B866D874
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8 R9.\.qqL%...ONq.     0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f .s..@.ZR...5.~K.

I think this would indicate that our Dovecot IMAP supports TLSv1.2 and should work with the Outlook updates. Am I missing something?


On 10/13/2022 12:27 PM, Quinn Comendant wrote:

The Windows system update on October 11, 2021 included a change to disable TLS 1.0 and 1.1 by default.

  * Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to
    be disabled by default
  * Windows support article: KB5017811—Manage Transport Layer
    Security (TLS) 1.0 and 1.1 after default behavior change on
    September 20, 2022
  * Blog post: Windows 10: Beware of a possible TLS disaster on
    October 2022 patchday

Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and submission, but Courier IMAP only supports up to TLS 1.0. Results via testssl.sh:

    smtp and submission

|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol |


|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded to a weaker protocol TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY not offered ALPN/HTTP2 not offered |

Because the error should only occur when TLS 1.2 is not available, I think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.

This thread <https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg43073.html> started by Janno Sannik a couple years ago contains some hints how to upgrade or replace Courier for better TLS support.


Reply via email to