On 2022-10-22 09:30, Ervin Hegedüs wrote:
Hi there,
I have a bit old Dovecot instance (Ubuntu 14.04 - there is no chance to upgrade it), with these versions of packages:
- Dovecot: 2.2.9
- OpenSSL: 1.0.1f
Few days ago a client noticed me, that he can't reach his mails through his Office 365. He uses POP3S.
I tried to set up a same client for this Dovecot server, but when I configured the POP3 protocoll, after the settings check Office says:
Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server ...
While the client was trying, I see these lines in the log:
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF>
Which is weird, because I disabled SSLv3. Here is the (relevant) config:
ssl_cert =
When I check the supported encryption type with nmap, I get this:
$ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST Nmap scan report for 192.168.8.21 Host is up (0.021s latency).
PORT STATE SERVICE 995/tcp open pop3s | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ,,, |_ least strength: C
When I check the traffic with tcpdump, I see that client uses TLSv1.2:
https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png
Only the one client who reported the problem, and my test client can't reach the server - other (about) 400 users can (but I don't know with what kind of types of clients - most use Thunderbird).
What can I do? How can I fix this problem? As I wrote, this problem has came few days ago suddenly...
Thanks,
a.
Hi,
You might want to check incoming releases changelog https://doc.dovecot.org/3.0/installation_guide/upgrading/from-2.3-to-3.0/
Notice the point " OpenSSL support for older than 1.0.2: Older versions are not supported anymore. "
I think you should be able to upgrade in the same instance both openssl and dovecot if you compile it manually. Also, you can install additional openssl, and load its module e.g. as libssl.so and move older libssl.so.1.0.1 so to be the default. Make sure to install anything above 1.0.1.
Good luck.
Zakaria.