Hi - are there any suggestions on how to resolve this issue.
We're seeing more and more Outlook email client users complaining that
they're no longer connecting to QMT7 IMAP to receive their mail. This
seems to have happened as a result of a recent Windows update.
Jeff Koch
On 10/13/2022 1:12 PM, Jeff Koch wrote:
Running the following command against our QMT mailservers shows:
openssl s_client -showcerts -connect mailserver.com:993
------------------------------
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
7DF738EE6BD9096B6CAE8047C4FBE4A980227BBBA7BBCD940BCE1BC4CE5ABA17
Session-ID-ctx:
Master-Key:
42D30E9F7D9185EC883D188F298901335359D2298CDD74D93CE83C0EDA8478E331F2E9C57F70CBED7F8963C0B866D874
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8
R9.\.qqL%...ONq.
0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f
.s..@.ZR...5.~K.
----------------------------------
I think this would indicate that our Dovecot IMAP supports TLSv1.2 and
should work with the Outlook updates. Am I missing something?
Jeff
On 10/13/2022 12:27 PM, Quinn Comendant wrote:
The Windows system update on October 11, 2021 included a change to
disable TLS 1.0 and 1.1 by default.
* Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to
be disabled by default
<https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/>
* Windows support article: KB5017811—Manage Transport Layer
Security (TLS) 1.0 and 1.1 after default behavior change on
September 20, 2022
<https://support.microsoft.com/en-us/topic/kb5017811-manage-transport-layer-security-tls-1-0-and-1-1-after-default-behavior-change-on-september-20-2022-e95b1b47-9c7c-4d64-9baf-610604a64c3e>
* Blog post: Windows 10: Beware of a possible TLS disaster on
October 2022 patchday
<https://borncity.com/win/2022/10/11/windows-10-achtung-vor-einem-mglichen-tls-desaster-zum-oktober-2022-patchday/>
Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and
submission, but Courier IMAP only supports up to TLS 1.0. Results via
testssl.sh:
smtp and submission
|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered
(deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS
1.3 not offered and downgraded to a weaker protocol |
imap
|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered
(deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded
to a weaker protocol TLS 1.3 not offered and downgraded to a weaker
protocol NPN/SPDY not offered ALPN/HTTP2 not offered |
Because the error should only occur when TLS 1.2 is not available, I
think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.
This thread
<https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg43073.html>
started by Janno Sannik a couple years ago contains some hints how to
upgrade or replace Courier for better TLS support.
Quinn
