On 1/18/2015 12:45 AM, Robert Schetterer wrote:
Am 16.01.2015 um 12:24 schrieb Oliver Welter:
Hi Folks,
after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine.
I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2
The certificate is from Comodo using sha256.
Any idea?
Oliver
there is no "Outlook", please do a exact debug what Outlook and Windows Version, disable TLSv1.2 is a bad idea, my bet goes on your ssl_cipher_list, try this
# SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
or search list archive and www for other better solutions and general dovecot ssl configs
I have this in production:
ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!aNULL:-3DES:+AES256:+SHA:AES128-SHA:DES-CBC3-SHA ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
- AES128-SHA & TLSv1 for some Android v4.3 and earlier
- DES-CBC3-SHA & TLSv1 for Outlook 2003 on Windows XP
- TLSv1 for Thunderbird prior to v27
- TLSv1 for Outlook on Windows Vista/2008
- TLSv1 for Outlook on Windows 7 or 8 without IE 11 installed
Everything else supports at least DHE-AES on TLSv1.1 or 1.2. The cipherspec provides AES128, AES256 and Camellia; with AES128 and Camellia preferred over AES256, and SHA2 preferred over SHA1.