Outlook and TLSv.1
Darren Pilgrim
list_dovecot at bluerosetech.com
Mon Jan 19 21:55:31 UTC 2015
On 1/18/2015 12:45 AM, Robert Schetterer wrote:
> Am 16.01.2015 um 12:24 schrieb Oliver Welter:
>> Hi Folks,
>>
>> after adding TLSv1.2 to by TLS options a lot of Outlook users complaint
>> about connection errors, openssl s_client and Thunderbird works fine.
>>
>> I found some posts about this but none of them had a real solution on
>> this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
>>
>> I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
>>
>> ssl_cert = </var/qmail/control/servercert.pem
>> ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH
>> ssl_dh_parameters_length = 2048
>> ssl_key = </var/qmail/control/servercert.pem
>> ssl_protocols = !SSLv2 !TLSv1.2
>>
>> The certificate is from Comodo using sha256.
>>
>> Any idea?
>>
>> Oliver
>>
>
> there is no "Outlook", please do a exact debug what Outlook and Windows
> Version, disable TLSv1.2 is a bad idea, my bet goes on your
> ssl_cipher_list, try this
>
> # SSL ciphers to use
> ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
>
>
> or search list archive and www for other better solutions and general
> dovecot ssl configs
I have this in production:
ssl_cipher_list =
HIGH+kEECDH:HIGH+kEDH:!aNULL:-3DES:+AES256:+SHA:AES128-SHA:DES-CBC3-SHA
ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
- AES128-SHA & TLSv1 for some Android v4.3 and earlier
- DES-CBC3-SHA & TLSv1 for Outlook 2003 on Windows XP
- TLSv1 for Thunderbird prior to v27
- TLSv1 for Outlook on Windows Vista/2008
- TLSv1 for Outlook on Windows 7 or 8 without IE 11 installed
Everything else supports at least DHE-AES on TLSv1.1 or 1.2. The
cipherspec provides AES128, AES256 and Camellia; with AES128 and
Camellia preferred over AES256, and SHA2 preferred over SHA1.
More information about the dovecot
mailing list