Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-25 Thread Tahnan Al Anas 
it did happen to most of my server, I later found if I use 587 with auto
rather than selecting TLS from outlook, sending work, so I have suggested
that all of my users change to that.


--
--

Best Regards
Muhammad Tahnan Al Anas


On Tue, Oct 25, 2022 at 8:37 PM Eric Broch  wrote:

> "When Microsoft fails"
>
> Yes! How much do they owe us for lost work and time figuring out their
> failures? We'll never see it! Their B.S. goes all the way back to
> Windoze 3.1
>
> Anyway, would it do any good to write a patch to troubleshoot a
> connection if there is no connection?
>
> And, how would one fix code without knowing what's wrong or being able
> to find out (in the absence of a connection) the problem?
>
> I guess I would not know where to start as much as I'd like to DO
> something about it.
>
> Thanks for bearing with my vent.
>
>
> On 10/25/2022 8:27 AM, Andreas wrote:
> > Hi Eric,
> > Hil List,
> >
> > I found part of the issue:
> > KB5018410 is it. Microsoft is aware of the problem, Ih hope they find
> > somtething to remediate.
> >
> https://answers.microsoft.com/en-us/windows/forum/all/kb5018410-on-windows-10-version-21h2-breaks/8f70d6db-8b3a-42bc-a49f-f71809c4db89
> >
> >
> > I have ngrep on the server and tested, I cannot see any connection
> > attempts from the client-ip.
> > Strange thing is, this afternoon it happened to some clients to get
> > some email out, later they called back because it stopped working.
> >
> > Thank you very much for your troubleshooting, but if Microsoft fails...
> >
> > Andreas
> >
> > Am 25.10.22 um 15:26 schrieb Eric Broch:
> >> I've asked this before about this problem. Is it possible to use
> >> tcpdump to see if outlook is even connecting to the server.
> >>
> >> On 10/24/2022 10:52 PM, Andreas wrote:
> >>> Hi Eric,
> >>> no, there is nothing in /var/log/qmail/submission/current from this ip
> >>>
> >>> Andreas
> >>>
> >
> >
> > -
> > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> >
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>
>

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-25 Thread Eric Broch 

"When Microsoft fails"

Yes! How much do they owe us for lost work and time figuring out their 
failures? We'll never see it! Their B.S. goes all the way back to 
Windoze 3.1


Anyway, would it do any good to write a patch to troubleshoot a 
connection if there is no connection?


And, how would one fix code without knowing what's wrong or being able 
to find out (in the absence of a connection) the problem?


I guess I would not know where to start as much as I'd like to DO 
something about it.


Thanks for bearing with my vent.


On 10/25/2022 8:27 AM, Andreas wrote:

Hi Eric,
Hil List,

I found part of the issue:
KB5018410 is it. Microsoft is aware of the problem, Ih hope they find 
somtething to remediate.
https://answers.microsoft.com/en-us/windows/forum/all/kb5018410-on-windows-10-version-21h2-breaks/8f70d6db-8b3a-42bc-a49f-f71809c4db89 



I have ngrep on the server and tested, I cannot see any connection 
attempts from the client-ip.
Strange thing is, this afternoon it happened to some clients to get 
some email out, later they called back because it stopped working.


Thank you very much for your troubleshooting, but if Microsoft fails...

Andreas

Am 25.10.22 um 15:26 schrieb Eric Broch:
I've asked this before about this problem. Is it possible to use 
tcpdump to see if outlook is even connecting to the server.


On 10/24/2022 10:52 PM, Andreas wrote:

Hi Eric,
no, there is nothing in /var/log/qmail/submission/current from this ip

Andreas




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-25 Thread Andreas 

Hi Eric,
Hil List,

I found part of the issue:
KB5018410 is it. Microsoft is aware of the problem, Ih hope they find 
somtething to remediate.

https://answers.microsoft.com/en-us/windows/forum/all/kb5018410-on-windows-10-version-21h2-breaks/8f70d6db-8b3a-42bc-a49f-f71809c4db89

I have ngrep on the server and tested, I cannot see any connection 
attempts from the client-ip.
Strange thing is, this afternoon it happened to some clients to get some 
email out, later they called back because it stopped working.


Thank you very much for your troubleshooting, but if Microsoft fails...

Andreas

Am 25.10.22 um 15:26 schrieb Eric Broch:
I've asked this before about this problem. Is it possible to use 
tcpdump to see if outlook is even connecting to the server.


On 10/24/2022 10:52 PM, Andreas wrote:

Hi Eric,
no, there is nothing in /var/log/qmail/submission/current from this ip

Andreas




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-24 Thread Eric Broch 

Andreas,

Last time this happened I was told that there was no evidence of a 
connection from the client, nothing in the Dovecot log.


So, is there ANY evidence of a connection from the client in the 
submission log.


If there is no evidence of a TCP connection is there any problem with 
our software?


Can you check if there is a TCP connection from the client?

Eric

On 10/24/2022 3:49 PM, Andreas wrote:

Hi Eric,
Hi Quinn,


thanks a lot for your help. I couldn't find the error, but hope on 
your patch.


I have no other server to help my customers, so they can only have the 
choice to use roundcube until it is fixed.

Maybe the attached log from testssl.sh can help a bit?
I couldn't find a way to set the cipher-order in qmail. Maybe I 
haven't searched in the right list- archives?


Andreas




Am 24.10.22 um 17:57 schrieb Eric Broch:
I'm going to have to write a server side patch so we can determine 
the problem.


On 10/24/2022 9:53 AM, Andreas wrote:

Ok, I just tried with Outlook 2019 on port 465, it doesn't work either.
It times out.



Am 24.10.22 um 17:22 schrieb Eric Broch:

did you try smtps port 465?

On 10/24/2022 9:13 AM, Andreas wrote:

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
#TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
TCP_CDB="/etc/tcprules.d/tcp.subm.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPAUTH="!"

exec /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c 
"$MAXSMTPD" \

    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1


Am 24.10.22 um 17:12 schrieb Eric Broch:

cat /var/qmail/supervise/submission/run

send results

On 10/24/2022 9:03 AM, Andreas wrote:

Hi Eric,

spamdyke is only in the mix with smtp, not with submission.

andreas

Am 24.10.22 um 15:55 schrieb Eric Broch:

is spamdyke in the mix?

On 10/24/2022 7:53 AM, Andreas wrote:
It is setup to use submission, someones use starttls some 
automatic.




Andreas

Am 24.10.22 um 15:51 schrieb Eric Broch:

How is your SMTP set up in Outlook?

On 10/24/2022 7:50 AM, Andreas wrote:

Hi Eric,

that's right.

IMAP is OK

Andreas

Am 24.10.22 um 15:49 schrieb Eric Broch:
Sending emails would be a qmail issue wouldn't it? Not a 
imap issue, right?


On 10/24/2022 7:45 AM, Andreas wrote:

Hi Eric,

Yes, it is only a issue when trying to send mails.
Retrieving mails is OK

Andreas

Am 24.10.22 um 15:30 schrieb Eric Broch:

Is this only a imap issue?

On 10/24/2022 6:46 AM, Andreas wrote:

Hi Eric,

with LEGACY it still doesn't work.

I tried FUTURE and get the following in dovecot-logs:
Error: Failed to initialize SSL server context: Can't 
load SSL certificate (ssl_cert setting): 
error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee 
key too small: user=<>, rip=xx.xx.xx.xx, 
lip=xx.xx.xx.xx, session=



Andreas
Am 24.10.22 um 14:24 schrieb Eric Broch:

What does this command yield?

update-crypto-policies --show

update-crypto-policies --set DEFAULT

update-crypto-policies --set LEGACY

update-crypto-policies --set FUTURE


On 10/24/2022 5:12 AM, Andreas wrote:


Hi list,

I have read the discussion and fix.
I have installed dovecot--2.3.19.1-2.x86_64 and
dovecot-mysql-2.3.19.1-2.x86_64
on RockyLinux 8

Since last update on Microsoft and Outlook they cannot 
send emails.


In the log I dont see any error, on the client:
Task "myuser@... - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection 
encryption type you have
specified. Try changing the encryption method. Contact 
your mail server
administrator or internet service provider (ISP) for 
additional assistance.'



Do you have any advice how I could change the server 
settings?


Andreas


- 

To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com


















-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-24 Thread Andreas 

Hi Eric,
Hi Quinn,


thanks a lot for your help. I couldn't find the error, but hope on your 
patch.


I have no other server to help my customers, so they can only have the 
choice to use roundcube until it is fixed.

Maybe the attached log from testssl.sh can help a bit?
I couldn't find a way to set the cipher-order in qmail. Maybe I haven't 
searched in the right list- archives?


Andreas




Am 24.10.22 um 17:57 schrieb Eric Broch:
I'm going to have to write a server side patch so we can determine the 
problem.


On 10/24/2022 9:53 AM, Andreas wrote:

Ok, I just tried with Outlook 2019 on port 465, it doesn't work either.
It times out.



Am 24.10.22 um 17:22 schrieb Eric Broch:

did you try smtps port 465?

On 10/24/2022 9:13 AM, Andreas wrote:

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
#TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
TCP_CDB="/etc/tcprules.d/tcp.subm.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPAUTH="!"

exec /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c 
"$MAXSMTPD" \

    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1


Am 24.10.22 um 17:12 schrieb Eric Broch:

cat /var/qmail/supervise/submission/run

send results

On 10/24/2022 9:03 AM, Andreas wrote:

Hi Eric,

spamdyke is only in the mix with smtp, not with submission.

andreas

Am 24.10.22 um 15:55 schrieb Eric Broch:

is spamdyke in the mix?

On 10/24/2022 7:53 AM, Andreas wrote:
It is setup to use submission, someones use starttls some 
automatic.




Andreas

Am 24.10.22 um 15:51 schrieb Eric Broch:

How is your SMTP set up in Outlook?

On 10/24/2022 7:50 AM, Andreas wrote:

Hi Eric,

that's right.

IMAP is OK

Andreas

Am 24.10.22 um 15:49 schrieb Eric Broch:
Sending emails would be a qmail issue wouldn't it? Not a 
imap issue, right?


On 10/24/2022 7:45 AM, Andreas wrote:

Hi Eric,

Yes, it is only a issue when trying to send mails.
Retrieving mails is OK

Andreas

Am 24.10.22 um 15:30 schrieb Eric Broch:

Is this only a imap issue?

On 10/24/2022 6:46 AM, Andreas wrote:

Hi Eric,

with LEGACY it still doesn't work.

I tried FUTURE and get the following in dovecot-logs:
Error: Failed to initialize SSL server context: Can't 
load SSL certificate (ssl_cert setting): 
error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee 
key too small: user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx, 
session=



Andreas
Am 24.10.22 um 14:24 schrieb Eric Broch:

What does this command yield?

update-crypto-policies --show

update-crypto-policies --set DEFAULT

update-crypto-policies --set LEGACY

update-crypto-policies --set FUTURE


On 10/24/2022 5:12 AM, Andreas wrote:


Hi list,

I have read the discussion and fix.
I have installed dovecot--2.3.19.1-2.x86_64 and
dovecot-mysql-2.3.19.1-2.x86_64
on RockyLinux 8

Since last update on Microsoft and Outlook they cannot 
send emails.


In the log I dont see any error, on the client:
Task "myuser@... - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption 
type you have
specified. Try changing the encryption method. Contact 
your mail server
administrator or internet service provider (ISP) for 
additional assistance.'



Do you have any advice how I could change the server 
settings?


Andreas


- 

To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com

















###
testssl.sh   3.0.6 from https://testssl.sh/

  This program is free software. Distribution and
 modification under GPLv2 permitted.
  USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

   Please file bugs @ https://testssl.sh/bugs/

###

 Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~179 ciphers]
 on TP-AG:./bin/openssl.Linux.x86_64
 (built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")


 Start 2022-10-24 23:13:15-->> xx.xx.x.xx:587 (send.mail,server) 
<<--

 rDNS (xx.xx.x.xx):send.mail,server.
 Service set:STARTTLS via SMTP

 Testing protocols via sockets 

 SSLv2  not offered (OK)
 SSLv3  likely not offered (OK), received 4xx/5xx 
after STARTTLS handshake, rerun with DEBUG>=2 or --ssl-native
 TLS 1  offered (deprecated)
 TLS 1.1offered (deprecated)
 TLS 1.2offered (OK)
 TLS 1.3offered (OK): final

 Testing cipher categories 

 NULL ciphers (no encryption)  not offered (OK)
 Anonymous NULL Ciphers (no authentication)not offered (OK)
 Export

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-24 Thread Quinn Comendant 
Hi Andreas,

I've had some users report this as well. Previously, they were getting this 
same error when receiving mail; upgrading to Dovecot (from Courier) resolved 
that. Now the issue seems to also exist with qmail-smtp.

I'm not sure what is broken, because connections to port 587 support TLSv1.2 
with modern ciphers, and I get a decent score with www.immuniweb.com.

For the moment, I've simply offered an alternative SMTP server for users who 
are having trouble sending (which, for now, is limited to just a few people in 
one office).

Anyone have suggestions why some versions of Outlook on Windows can't establish 
encrypted connection to qmail-smtp?

Quinn

On 24 Oct 2022, at 6:12, Andreas wrote:

> Hi list,
>
> I have read the discussion and fix.
> I have installed dovecot--2.3.19.1-2.x86_64 and
> dovecot-mysql-2.3.19.1-2.x86_64
> on RockyLinux 8
>
> Since last update on Microsoft and Outlook they cannot send emails.
>
> In the log I dont see any error, on the client:
> Task "myuser@... - Sending: reported error (Ox800CCC1A) :
> 'Your server does not support the connection encryption type you have
> specified. Try changing the encryption method. Contact your mail server
> administrator or internet service provider (ISP) for additional assistance.'
>
>
> Do you have any advice how I could change the server settings?
>
> Andreas
>
>
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-24 Thread Andreas 



Hi list,

I have read the discussion and fix.
I have installed dovecot--2.3.19.1-2.x86_64 and
dovecot-mysql-2.3.19.1-2.x86_64
on RockyLinux 8

Since last update on Microsoft and Outlook they cannot send emails.

In the log I dont see any error, on the client:
Task "myuser@... - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption type you have
specified. Try changing the encryption method. Contact your mail server
administrator or internet service provider (ISP) for additional assistance.'


Do you have any advice how I could change the server settings?

Andreas


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-18 Thread Janno Sannik 
It indeed works for me to date. I don't know if I should be scared of it 
now that you are saying that this breaks with latest windows update :)
One thing I could thing of - There might be problem with ciphers. I also 
messed around with it. Check the https://www.immuniweb.com/ssl/ test 
(put your.mail.server:993 as address) to see how it likes you ssl 
implementation.



Other solution would be to run nginx as a proxy (which I also did). 
Nginx needs auth module to authenticate and choose which back end has 
emails for this specific user. It is a simple script what will connect 
to qmail mysql server and check for user and password fields. Could be 
in perl, python or even bash/command line. I wrote this also (in PHP). I 
was thinking to use this as moving over per domain or email for testing. 
Made the solution and used it for my email accounts but never got around 
finishing the plan and converting to dovecot.


https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/


I do have another server which was upgraded to dovecot , but you need to 
pay attention to prefix = INBOX. parameter if you are coming from 
courier. It needs to be set, otherwise outlook will act wierdly and wil 
not sync mail anymore (thunderbird understands the change and works 
automatically). I think it's documented in conversion tutorial.  And 
indeed if there would be problems then I would know as there are most 
users running outlook on this server (around 100 accounts).


IMHO dovecot is MUCH faster with mailboxes with alot of emails in one 
folder.



Janno

On 17.10.2022 20:51, Quinn Comendant wrote:


On 13 Oct 2022, at 12:12, Jeff Koch wrote:

I think this would indicate that our Dovecot IMAP supports TLSv1.2
and should work with the Outlook updates. Am I missing something?

FWIW, I applied Janno Sannik's patch 
 
to enable TLS 1.2 in Courier 4.1, after which testssl.sh reported that 
TLS 1.2 is working correctly. However, some of our users still 
reported errors using Outlook. So, the issue doesn't seem to be as 
simple as enabling TLS 1.2?


I'm currently working to replace Courier with Dovecot, since you 
mentioned the latest Dovecot version works for you.


Quinn

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-17 Thread Quinn Comendant 

On 13 Oct 2022, at 12:12, Jeff Koch wrote:

I think this would indicate that our Dovecot IMAP supports TLSv1.2 and 
should work with the Outlook updates. Am I missing something?


FWIW, I applied [Janno Sannik's 
patch](https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg43073.html) 
to enable TLS 1.2 in Courier 4.1, after which testssl.sh reported that 
TLS 1.2 is working correctly. However, some of our users still reported 
errors using Outlook. So, the issue doesn't seem to be as simple as 
enabling TLS 1.2?


I'm currently working to replace Courier with Dovecot, since you 
mentioned the latest Dovecot version works for you.


Quinn

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread Quinn Comendant 

On 13 Oct 2022, at 12:12, Jeff Koch wrote:

I think this would indicate that our Dovecot IMAP supports TLSv1.2 and 
should work with the Outlook updates.


Yes, looks like a successful TLS 1.2 connection.

When testing with openssl, I would add the `-tls1_2` option to force use 
of that protocol:


openssl s_client -connect example.com:993 -tls1_2

Also test submission on port 587 (and you can try testing smtp on port 
25, although most networks block outgoing port 25 so you might not get a 
valid result):


openssl s_client -connect example.com:587 -starttls smtp -tls1_2



Although, I like to use https://testssl.sh/ (`brew install testssl` on 
macOS) which gives easier to understand and more thorough results:


Test submission (with STARTTLS on port 587):

testssl.sh -t smtp mx.strangecode.com:587

Test imap (with SSL-only on port 993):

testssl.sh example.com:993

Quinn

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread Jeff Koch 

Running the following command against our QMT mailservers shows:

openssl s_client -showcerts -connect mailserver.com:993

--
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
7DF738EE6BD9096B6CAE8047C4FBE4A980227BBBA7BBCD940BCE1BC4CE5ABA17

    Session-ID-ctx:
    Master-Key: 
42D30E9F7D9185EC883D188F298901335359D2298CDD74D93CE83C0EDA8478E331F2E9C57F70CBED7F8963C0B866D874

    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
     - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8 R9.\.qqL%...ONq.
    0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f .s..@.ZR...5.~K.
--

I think this would indicate that our Dovecot IMAP supports TLSv1.2 and 
should work with the Outlook updates. Am I missing something?


Jeff




On 10/13/2022 12:27 PM, Quinn Comendant wrote:


The Windows system update on October 11, 2021 included a change to 
disable TLS 1.0 and 1.1 by default.


  * Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to be
disabled by default


  * Windows support article: KB5017811—Manage Transport Layer Security
(TLS) 1.0 and 1.1 after default behavior change on September 20,
2022


  * Blog post: Windows 10: Beware of a possible TLS disaster on
October 2022 patchday



Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and 
submission, but Courier IMAP only supports up to TLS 1.0. Results via 
testssl.sh:



smtp and submission

|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered 
(deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 
not offered and downgraded to a weaker protocol |



imap

|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered 
(deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded to 
a weaker protocol TLS 1.3 not offered and downgraded to a weaker 
protocol NPN/SPDY not offered ALPN/HTTP2 not offered |


Because the error should only occur when TLS 1.2 is not available, I 
think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.


This thread 
 
started by Janno Sannik a couple years ago contains some hints how to 
upgrade or replace Courier for better TLS support.


Quinn

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread Quinn Comendant 
The Windows system update on October 11, 2021 included a change to 
disable TLS 1.0 and 1.1 by default.


- Windows blog post: [Plan for change: TLS 1.0 and TLS 1.1 soon to be 
disabled by 
default](https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/)
- Windows support article: [KB5017811—Manage Transport Layer Security 
(TLS) 1.0 and 1.1 after default behavior change on September 20, 
2022](https://support.microsoft.com/en-us/topic/kb5017811-manage-transport-layer-security-tls-1-0-and-1-1-after-default-behavior-change-on-september-20-2022-e95b1b47-9c7c-4d64-9baf-610604a64c3e)
- Blog post: [Windows 10: Beware of a possible TLS disaster on October 
2022 
patchday](https://borncity.com/win/2022/10/11/windows-10-achtung-vor-einem-mglichen-tls-desaster-zum-oktober-2022-patchday/)


Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and 
submission, but Courier IMAP only supports up to TLS 1.0. Results via 
testssl.sh:


## smtp and submission

 SSLv2  not offered (OK)
 SSLv3  offered (NOT ok)
 TLS 1  offered (deprecated)
 TLS 1.1offered (deprecated)
 TLS 1.2offered (OK)
 TLS 1.3not offered and downgraded to a weaker protocol

## imap

 SSLv2  not offered (OK)
 SSLv3  not offered (OK)
 TLS 1  offered (deprecated)
 TLS 1.1not offered
 TLS 1.2not offered and downgraded to a weaker protocol
 TLS 1.3not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

Because the error should only occur when TLS 1.2 is not available, I 
think the `Ox800CCC1A` in Outlook occurs when doing an IMAP transaction.


[This 
thread](https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg43073.html) 
started by Janno Sannik a couple years ago contains some hints how to 
upgrade or replace Courier for better TLS support.


Quinn

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread William Silverstein 



On Thu, October 13, 2022 5:50 am, Fabio Mecchia wrote:
> Hi, I also
> got this problem long ago, I don't remember if this was correct but try to
> add this key to your windows registry :
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
> -> Add this key"ProtectionPolicy"=dword:0001
>


What does this key do? What does setting this 1 do? What is the normal
setting(s)?

I'd rather not just blindly change setting w/o understanding what is going
on and how that may affect other things.

-- 
William Silverstein, Esq.
Litigation Counsel
Licensed in California.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread Tommi Järvilehto 

While sending mail.
Submission port with TLS encryption.

Uninstalling the windows update fixed this on one machine. We try to 
test another machine with the registry key.


On 13.10.2022 14.57, Eric Broch wrote:


Is this an IMAP issue?

On 10/13/2022 5:17 AM, Tommi Järvilehto wrote:

Same here:
centos-release-7-6.1810.2.el7.centos.x86_64
qmt-release-1-7.qt.el7.noarch
openssl-1.0.2k-16.el7_6.1.x86_64

On 13.10.2022 4.21, Eric Broch wrote:


What version of qmt

On 10/12/2022 2:16 PM, Quinn Comendant wrote:


Today we received several complaints from Outlook users who are 
unable to connect to QMT servers. They get this error:


Task "u...@example.com - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption type
you have
specified. Try changing the encryption method. Contact your
mail server
administrator or internet service provider (ISP) for additional
assistance.'

The error began after installing Windows 10 servicing stack update 
- 19042.1940, 19043.1940, and 19044.1940 
, 
and the problem was fixed by uninstalling the update.


Has anyone else experienced this, or know what the problem could 
be? I hope there is a config change I can make on QMT servers so 
that users will not need to uninstall the update.


Quinn



--
Tommi Järvilehto



--
Tommi Järvilehto
DataVahti Oy
040 732 8032

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread Fabio Mecchia 

Hi, I also
got this problem long ago, I don't remember if this was correct but try to 
add this key to your windows registry :


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
-> Add this key"ProtectionPolicy"=dword:0001

Fabio




In data 13 ottobre 2022 14:12:09 Qmail  ha scritto:

Hi Quinn.

Just think I've seen this looong ago... may be I'm wrong

Check the ports for smtp / pop in outlook - it may relate to the
portnumbers - if it needs to be encrypted try using port smtp 465 / pop 995.
( it requires the ports are in use by the QMT server ofcourse)

Hope this may help

/Finn


Den 12-10-2022 kl. 22:16 skrev Quinn Comendant:

Today we received several complaints from Outlook users who are unable
to connect to QMT servers. They get this error:

Task "u...@example.com  - Sending: reported
error (Ox800CCC1A) :
'Your server does not support the connection encryption type you have
specified. Try changing the encryption method. Contact your mail server
administrator or internet service provider (ISP) for additional
assistance.'

The error began after installing Windows 10 servicing stack update -
19042.1940, 19043.1940, and 19044.1940
, 
and the problem was fixed by uninstalling the update.


Has anyone else experienced this, or know what the problem could be? I
hope there is a config change I can make on QMT servers so that users
will not need to uninstall the update.

Quinn


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread Qmail 

Hi Quinn.

Just think I've seen this looong ago... may be I'm wrong

Check the ports for smtp / pop in outlook - it may relate to the 
portnumbers - if it needs to be encrypted try using port smtp 465 / pop 995.

( it requires the ports are in use by the QMT server ofcourse)

Hope this may help

/Finn


Den 12-10-2022 kl. 22:16 skrev Quinn Comendant:
Today we received several complaints from Outlook users who are unable 
to connect to QMT servers. They get this error:


Task "u...@example.com  - Sending: reported
error (Ox800CCC1A) :
'Your server does not support the connection encryption type you have
specified. Try changing the encryption method. Contact your mail server
administrator or internet service provider (ISP) for additional
assistance.'

The error began after installing Windows 10 servicing stack update - 
19042.1940, 19043.1940, and 19044.1940 
, and the problem was fixed by uninstalling the update.


Has anyone else experienced this, or know what the problem could be? I 
hope there is a config change I can make on QMT servers so that users 
will not need to uninstall the update.


Quinn



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread Eric Broch 

Is this an IMAP issue?

On 10/13/2022 5:17 AM, Tommi Järvilehto wrote:

Same here:
centos-release-7-6.1810.2.el7.centos.x86_64
qmt-release-1-7.qt.el7.noarch
openssl-1.0.2k-16.el7_6.1.x86_64

On 13.10.2022 4.21, Eric Broch wrote:


What version of qmt

On 10/12/2022 2:16 PM, Quinn Comendant wrote:


Today we received several complaints from Outlook users who are 
unable to connect to QMT servers. They get this error:


Task "u...@example.com - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption type you
have
specified. Try changing the encryption method. Contact your mail
server
administrator or internet service provider (ISP) for additional
assistance.'

The error began after installing Windows 10 servicing stack update - 
19042.1940, 19043.1940, and 19044.1940 
, 
and the problem was fixed by uninstalling the update.


Has anyone else experienced this, or know what the problem could be? 
I hope there is a config change I can make on QMT servers so that 
users will not need to uninstall the update.


Quinn



--
Tommi Järvilehto

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-13 Thread Tommi Järvilehto 

Same here:
centos-release-7-6.1810.2.el7.centos.x86_64
qmt-release-1-7.qt.el7.noarch
openssl-1.0.2k-16.el7_6.1.x86_64

On 13.10.2022 4.21, Eric Broch wrote:


What version of qmt

On 10/12/2022 2:16 PM, Quinn Comendant wrote:


Today we received several complaints from Outlook users who are 
unable to connect to QMT servers. They get this error:


Task "u...@example.com - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption type you have
specified. Try changing the encryption method. Contact your mail
server
administrator or internet service provider (ISP) for additional
assistance.'

The error began after installing Windows 10 servicing stack update - 
19042.1940, 19043.1940, and 19044.1940 
, 
and the problem was fixed by uninstalling the update.


Has anyone else experienced this, or know what the problem could be? 
I hope there is a config change I can make on QMT servers so that 
users will not need to uninstall the update.


Quinn



--
Tommi Järvilehto

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-12 Thread Eric Broch 

What version of qmt

On 10/12/2022 2:16 PM, Quinn Comendant wrote:


Today we received several complaints from Outlook users who are unable 
to connect to QMT servers. They get this error:


Task "u...@example.com - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption type you have
specified. Try changing the encryption method. Contact your mail
server
administrator or internet service provider (ISP) for additional
assistance.'

The error began after installing Windows 10 servicing stack update - 
19042.1940, 19043.1940, and 19044.1940 
, 
and the problem was fixed by uninstalling the update.


Has anyone else experienced this, or know what the problem could be? I 
hope there is a config change I can make on QMT servers so that users 
will not need to uninstall the update.


Quinn

[qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

2022-10-12 Thread Quinn Comendant 
Today we received several complaints from Outlook users who are unable 
to connect to QMT servers. They get this error:



Task "u...@example.com - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption type you have
specified. Try changing the encryption method. Contact your mail 
server
administrator or internet service provider (ISP) for additional 
assistance.'


The error began after installing [Windows 10 servicing stack update - 
19042.1940, 19043.1940, and 
19044.1940](https://support.microsoft.com/en-us/topic/october-11-2022-kb5018410-os-builds-19042-2130-19043-2130-and-19044-2130-6390f057-28ca-43d3-92ce-f4b79a8378fd), 
and the problem was fixed by uninstalling the update.


Has anyone else experienced this, or know what the problem could be? I 
hope there is a config change I can make on QMT servers so that users 
will not need to uninstall the update.


Quinn