Re: I can no longer use TLS for Windows7 and Outlook

On 5/31/20 11:54 AM, Aki Tuomi wrote:

...

On 31/05/2020 07:36 Mark Constable mailto:markc@renta.net> wrote:

I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.

A few months ago there was an update to all these systems and since then I've had to talk W7 and old Mac clients through disabling ports 993/995 with TLS enabled back to ports 143/110 without SSL or they could not pick up email. Thunderbird users (ie; me) were unaffected.

Could anyone share a set of port 993/995 SSL settings known to work with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?

Mine is currently...

ssl_ca =

I have commented out ssl_cipher_list, ssl_min_protocol and others to get back to whatever the defaults are so I am not simply guessing what the optimal settings would be to cover Win7 and up.

Yes I know Win7 is no longer supported but that does not help the 100s of older users I have that can't/won't upgrade their computers.

ssl_min_protocol = TLSv1.0 ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL

if this works try tuning cipherlists to more secure value.

---

Aki Tuomi

Since you mention the newest Ubuntu version, it may (most likely) be necessary to enable TLS 1.0 / 1.1 in openssl as well. I ran into this with Debian 10 some time ago.

/etc/ssl/openssl.conf

[system_default_sect] -MinProtocol = TLSv1.2 +MinProtocol = TLSv1

In terms of Dovecot ciphers config, Windows should be happy with TLS_RSA_WITH_3DES_EDE_CBC_SHA which is less broken than the other older ciphers.

-- K