Re: I can no longer use TLS for Windows7 and Outlook

2020-06-03 Thread Luuk 



On 31-5-2020 06:36, Mark Constable wrote:

I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.

A few months ago there was an update to all these systems and since
then I've had to talk W7 and old Mac clients through disabling ports
993/995 with TLS enabled back to ports 143/110 without SSL or they
could not pick up email. Thunderbird users (ie; me) were unaffected.

Could anyone share a set of port 993/995 SSL settings known to work
with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?

Mine is currently...

ssl_ca = 


Did you enable TLS1.2 in Windows 7?

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

(or, not tested on Windows 7: https://www.nartac.com/Products/IISCrypto/ )

Re: I can no longer use TLS for Windows7 and Outlook

2020-05-31 Thread Benny Pedersen 

On 2020-05-31 11:11, Kostya Vasilyev wrote:


In terms of Dovecot ciphers config, Windows should be happy with
TLS_RSA_WITH_3DES_EDE_CBC_SHA which is less broken than the other
older ciphers.


lets hope that dovecot allow tls1 and still can disable tls1.1, tls 1.1 
is weaker then tls 1.0


better solution is to drop windows 7, and old unsupported mac

Re: I can no longer use TLS for Windows7 and Outlook

2020-05-31 Thread Kostya Vasilyev 

On 5/31/20 11:54 AM, Aki Tuomi wrote:


On 31/05/2020 07:36 Mark Constable > wrote:



I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.

A few months ago there was an update to all these systems and since
then I've had to talk W7 and old Mac clients through disabling ports
993/995 with TLS enabled back to ports 143/110 without SSL or they
could not pick up email. Thunderbird users (ie; me) were unaffected.

Could anyone share a set of port 993/995 SSL settings known to work
with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?

Mine is currently...

ssl_ca = 

ssl_min_protocol = TLSv1.0
ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL

if this works try tuning cipherlists to more secure value.

---
Aki Tuomi



Since you mention the newest Ubuntu version, it may (most likely) be 
necessary to enable TLS 1.0 / 1.1 in openssl as well. I ran into this 
with Debian 10 some time ago.


/etc/ssl/openssl.conf

[system_default_sect]
-MinProtocol = TLSv1.2
+MinProtocol = TLSv1

In terms of Dovecot ciphers config, Windows should be happy with 
TLS_RSA_WITH_3DES_EDE_CBC_SHA which is less broken than the other older 
ciphers.


-- K

Re: I can no longer use TLS for Windows7 and Outlook

2020-05-31 Thread Aki Tuomi 


 
 
  
   
  
  
   
On 31/05/2020 07:36 Mark Constable  wrote:
   
   

   
   

   
   
I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.
   
   

   
   
A few months ago there was an update to all these systems and since
   
   
then I've had to talk W7 and old Mac clients through disabling ports
   
   
993/995 with TLS enabled back to ports 143/110 without SSL or they
   
   
could not pick up email. Thunderbird users (ie; me) were unaffected.
   
   

   
   
Could anyone share a set of port 993/995 SSL settings known to work
   
   
with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?
   
   

   
   
Mine is currently...
   
   

   
   
ssl_ca = 
   
ssl_cert = 
   
ssl_dh = # hidden, use -P to show it
   
   
ssl_key = # hidden, use -P to show it
   
   
ssl_options = no_compression no_ticket
   
   
ssl_prefer_server_ciphers = yes
   
   

   
   
I have commented out ssl_cipher_list, ssl_min_protocol and others to
   
   
get back to whatever the defaults are so I am not simply guessing what
   
   
the optimal settings would be to cover Win7 and up.
   
   

   
   
Yes I know Win7 is no longer supported but that does not help the 100s
   
   
of older users I have that can't/won't upgrade their computers.
   
  
  
   
  
  
   ssl_min_protocol = TLSv1.0
  
  
   ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
  
  
   
  
  
   if this works try tuning cipherlists to more secure value.
  
  
   
  
  
   ---
  
  
   Aki Tuomi

Re: I can no longer use TLS for Windows7 and Outlook

2020-05-31 Thread @lbutlr 
On 30 May 2020, at 22:36, Mark Constable  wrote:
> 993/995 with TLS enabled back to ports 143/110 without SSL or they
> could not pick up email. Thunderbird users (ie; me) were unaffected.

Insecure mail login is far too risky to allow. I don't even allow it within a 
LAN.

> Could anyone share a set of port 993/995 SSL settings known to work
> with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?

If the users cannot upgrade to an OS that works with TLS 1.2, then you need to 
either move them to a client that does its own TLS handling, or setup webmail 
(like Horde or Raoundcube).

Those clients on older machines are similarly going to have trouble accessing 
banks, health sites, or other secure logins as TLS 1.0 and 1.1 are not 
supported anymore. In fact, if it were not for the current pandemic, their 
browsers would already have lost TLS 1.0 and 1.1 abilities.



-- 
Margo: Give me a phaser and a red shirt.
Male centurion: What?

Re: I can no longer use TLS for Windows7 and Outlook

2020-05-31 Thread Christian Kivalo 



On May 31, 2020 6:36:52 AM GMT+02:00, Mark Constable  wrote:
>I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.
>
>A few months ago there was an update to all these systems and since
>then I've had to talk W7 and old Mac clients through disabling ports
>993/995 with TLS enabled back to ports 143/110 without SSL or they
>could not pick up email. Thunderbird users (ie; me) were unaffected.
>
>Could anyone share a set of port 993/995 SSL settings known to work
>with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?
The best would be to upgrade your clients to a more current OS that supports 
those ciphers or change the mail client to something that ships it's own 
SSL/TLS implementation like Thunderbird. 

I would under no circumstances allow access without TLS. 
You could also switch back to an older version of Ubuntu / openssl which in 
turn would allow the old clients to use SSL/TLS again. 
This would allow for an extended time period getting those clients to upgrade 
their OS. 
>Mine is currently...
>
>ssl_ca = ssl_cert = ssl_dh = # hidden, use -P to show it
>ssl_key = # hidden, use -P to show it
>ssl_options = no_compression no_ticket
>ssl_prefer_server_ciphers = yes
>
>I have commented out ssl_cipher_list, ssl_min_protocol and others to
>get back to whatever the defaults are so I am not simply guessing what
>the optimal settings would be to cover Win7 and up.
Nevertheless you're up to a good amount of work, for Win7 I found this [1] that 
links to MSDN [2] where it states:

TLS 1.1 & TLS 1.2 are enabled by default on post Windows 8.1 releases. Prior to 
that they were disabled by default. So the administrators have to enable the 
settings manually via the registry. Refer this article on how to enable this 
protocols via registry: https://support.Microsoft.com/en-us/kb/187498

I haven't tested this as I don't have a Win7 installation available. 

>Yes I know Win7 is no longer supported but that does not help the 100s
>of older users I have that can't/won't upgrade their computers.
There will probably be more problems relating to old OS and unsupported SSL/TLS 
versions in the future. 

Good luck. 

[1] https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility
[2] 
https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/
-- 
Christian Kivalo