I can no longer use TLS for Windows7 and Outlook
Kostya Vasilyev
kmansoft at rambler.ru
Sun May 31 12:11:28 EEST 2020
On 5/31/20 11:54 AM, Aki Tuomi wrote:
>
>> On 31/05/2020 07:36 Mark Constable <markc at renta.net
>> <mailto:markc at renta.net>> wrote:
>>
>>
>> I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.
>>
>> A few months ago there was an update to all these systems and since
>> then I've had to talk W7 and old Mac clients through disabling ports
>> 993/995 with TLS enabled back to ports 143/110 without SSL or they
>> could not pick up email. Thunderbird users (ie; me) were unaffected.
>>
>> Could anyone share a set of port 993/995 SSL settings known to work
>> with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?
>>
>> Mine is currently...
>>
>> ssl_ca = </etc/ssl/certs/ca-certificates.crt
>> ssl_cert = </etc/ssl/example.com/fullchain.pem
>> ssl_dh = # hidden, use -P to show it
>> ssl_key = # hidden, use -P to show it
>> ssl_options = no_compression no_ticket
>> ssl_prefer_server_ciphers = yes
>>
>> I have commented out ssl_cipher_list, ssl_min_protocol and others to
>> get back to whatever the defaults are so I am not simply guessing what
>> the optimal settings would be to cover Win7 and up.
>>
>> Yes I know Win7 is no longer supported but that does not help the 100s
>> of older users I have that can't/won't upgrade their computers.
>
> ssl_min_protocol = TLSv1.0
> ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
>
> if this works try tuning cipherlists to more secure value.
>
> ---
> Aki Tuomi
Since you mention the newest Ubuntu version, it may (most likely) be
necessary to enable TLS 1.0 / 1.1 in openssl as well. I ran into this
with Debian 10 some time ago.
/etc/ssl/openssl.conf
[system_default_sect]
-MinProtocol = TLSv1.2
+MinProtocol = TLSv1
In terms of Dovecot ciphers config, Windows should be happy with
TLS_RSA_WITH_3DES_EDE_CBC_SHA which is less broken than the other older
ciphers.
-- K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200531/421afadb/attachment.html>
More information about the dovecot
mailing list