Re: [qmailtoaster] Outlook users can't connect to QMT7 IMAP after Windows update

2022-10-14 Thread Tonix 
Is there any antivirus on Windows machines intercepting connections and 
giving services to oulook using the old protocol?


Try to disable antivirus on one client.

Tonino

Il 14/10/2022 18:16, Jeff Koch ha scritto:

Hi - are there any suggestions on how to resolve this issue.

We're seeing more and more Outlook email client users complaining that 
they're no longer connecting to QMT7 IMAP to receive their mail.  This 
seems to have happened as a result of a recent Windows update.


Jeff Koch


On 10/13/2022 1:12 PM, Jeff Koch wrote:

Running the following command against our QMT mailservers shows:

openssl s_client -showcerts -connect mailserver.com:993

--
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
7DF738EE6BD9096B6CAE8047C4FBE4A980227BBBA7BBCD940BCE1BC4CE5ABA17

    Session-ID-ctx:
    Master-Key: 
42D30E9F7D9185EC883D188F298901335359D2298CDD74D93CE83C0EDA8478E331F2E9C57F70CBED7F8963C0B866D874

    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
     - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8 
R9.\.qqL%...ONq.
    0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f 
.s..@.ZR...5.~K.

--

I think this would indicate that our Dovecot IMAP supports TLSv1.2 
and should work with the Outlook updates. Am I missing something?


Jeff




On 10/13/2022 12:27 PM, Quinn Comendant wrote:


The Windows system update on October 11, 2021 included a change to 
disable TLS 1.0 and 1.1 by default.


  * Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to
be disabled by default


  * Windows support article: KB5017811—Manage Transport Layer
Security (TLS) 1.0 and 1.1 after default behavior change on
September 20, 2022


  * Blog post: Windows 10: Beware of a possible TLS disaster on
October 2022 patchday



Our QMT v1.3 system with this issue does support TLS 1.2 for smtp 
and submission, but Courier IMAP only supports up to TLS 1.0. 
Results via testssl.sh:



smtp and submission

|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered 
(deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 
1.3 not offered and downgraded to a weaker protocol |



imap

|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered 
(deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded 
to a weaker protocol TLS 1.3 not offered and downgraded to a weaker 
protocol NPN/SPDY not offered ALPN/HTTP2 not offered |


Because the error should only occur when TLS 1.2 is not available, I 
think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.


This thread 
 
started by Janno Sannik a couple years ago contains some hints how 
to upgrade or replace Courier for better TLS support.


Quinn

[qmailtoaster] Outlook users can't connect to QMT7 IMAP after Windows update

2022-10-14 Thread Jeff Koch 

Hi - are there any suggestions on how to resolve this issue.

We're seeing more and more Outlook email client users complaining that 
they're no longer connecting to QMT7 IMAP to receive their mail.  This 
seems to have happened as a result of a recent Windows update.


Jeff Koch


On 10/13/2022 1:12 PM, Jeff Koch wrote:

Running the following command against our QMT mailservers shows:

openssl s_client -showcerts -connect mailserver.com:993

--
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
7DF738EE6BD9096B6CAE8047C4FBE4A980227BBBA7BBCD940BCE1BC4CE5ABA17

    Session-ID-ctx:
    Master-Key: 
42D30E9F7D9185EC883D188F298901335359D2298CDD74D93CE83C0EDA8478E331F2E9C57F70CBED7F8963C0B866D874

    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
     - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8 
R9.\.qqL%...ONq.
    0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f 
.s..@.ZR...5.~K.

--

I think this would indicate that our Dovecot IMAP supports TLSv1.2 and 
should work with the Outlook updates. Am I missing something?


Jeff




On 10/13/2022 12:27 PM, Quinn Comendant wrote:


The Windows system update on October 11, 2021 included a change to 
disable TLS 1.0 and 1.1 by default.


  * Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to
be disabled by default


  * Windows support article: KB5017811—Manage Transport Layer
Security (TLS) 1.0 and 1.1 after default behavior change on
September 20, 2022


  * Blog post: Windows 10: Beware of a possible TLS disaster on
October 2022 patchday



Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and 
submission, but Courier IMAP only supports up to TLS 1.0. Results via 
testssl.sh:



smtp and submission

|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered 
(deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 
1.3 not offered and downgraded to a weaker protocol |



imap

|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered 
(deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded 
to a weaker protocol TLS 1.3 not offered and downgraded to a weaker 
protocol NPN/SPDY not offered ALPN/HTTP2 not offered |


Because the error should only occur when TLS 1.2 is not available, I 
think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.


This thread 
 
started by Janno Sannik a couple years ago contains some hints how to 
upgrade or replace Courier for better TLS support.


Quinn