Dovecot won't accept IMAP TLS 1 connections from older devices [SOLVED]
Brian Martin
bmartin at silverflash.net
Fri Oct 16 07:18:00 EEST 2020
I've spent days scouring the Internet and trying various solutions on a
problem with my Dovecot installation, so I thought I'd share what I
learned in hopes of saving other people a lot of time. The dedicated
Dovecot hands will know all of the following already. This is for those
of us that have to cover a lot of bases.
I upgraded my mail server from Ubuntu 18.04.1 to Ubuntu 20.04.1, and
found that older Mac-books and iPads (and probably other devices) could
no longer establish IMAP connections to Dovecot. Dovecot logged:
SSL routines:tls_early_post_process_client_hello:unsupported protocol
and TCP/IP traces showed that it dropped the connection after the
client's initial HELLO. I tested what kinds of connections Dovecot
would accept with (for example):
openssl s_client -tls1_1 -connect localhost:993 # Test whether
TLSv1.1 is accepted - received "unsupported protocol" message.
Searching showed that Dovecot has a parameter "ssl_min_protocol", which
is documented as defaulting to TLSv1. Nevertheless I explicitly set it
to TLSv1 with no effect. This was a red herring. I spent a long time
looking to see if Dovecot had a bug in handling this newish parameter, etc.
Eventually I came across one posting regarding a web server, that told
me the OpenSSL libraries that Dovecot and lots of other packages use has
a single configuration file for the entire system. In Ubuntu 20.04 it
defaults to requiring TLSv1.2 or above. Changing the configuration for
OpenSSL affects everything on the system using the library. I changed
the file, restarted Dovecot, and it immediately accepted TLSv1 connections.
Obviously I'd prefer to maintain the improved security of TLSv1.2, but
in my case it was better to continue providing mail service at a lower
security level than to deny service to some users until they upgraded
their personal devices. You'll need to make your on decision on that score.
The file to change is (on Ubuntu, at least) /usr/lib/ssl/openssl.cnf.
The change consists of adding a line of code in the initial section that
invokes several new sections later:
In the initial section I added:
openssl_conf = default_conf
Then at the bottom of the file I added:
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT at SECLEVEL=1
There is an alternative approach that I have read of but not tested.
Basically you can create a new file elsewhere with the customized
content, and then set an environmental variable (OPENSSL_CONF) just
before launching Dovecot that points to your new file. This way, only
Dovecot is using downgraded security. Since my mail server is a
dedicated system and I didn't want to muck with the Dovecot start-up
environment, I didn't feel the need to go that route.
So all my digging into why Dovecot wouldn't accept TLSv1 connections and
how to change it were completely on the wrong path. It would be nice if
Dovecot could log a message when its ssl_min_protocol is set lower than
what OpenSSL will accept, but Dovecot may not be able to tell what
OpenSSL is doing. In any case, those are the symptoms, the real
problem, and how to fix it. Good luck, and thanks to Matt Caswell for
posting the answer that I eventually found.
Ref:
https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
More information about the dovecot
mailing list