On 7/7/20 12:16 pm, The Doctor wrote:

...

...

Got a client that usually uses Outlook I think 2010. This person tends to move their e-mails to certain folers. On Thunderbird, the move shows. Not on Outlook. Any explanation?

Using IMAp, most folders should sync client and server. Just wondering if an old version of Outlook has passed its time.

FWIW if they happen to be using Windows7 and dovecot has been updated recently then you could try disabling SSL/STARTTLS on port 143.

-- Mark Constable 0419 530 037 https://spiderweb.com.au

On 7/7/20 3:50 pm, @lbutlr wrote:

...

you could try disabling SSL/STARTTLS on port 143.

What? I’ve never seen SSL/StARTTLS on port 143,a dn I doubt that would work?

I thought you had a problem picking up IMAP mail. I see now you mean you move messages within Thunderbird and the Outlook 2010 app does not sync those changes. My mistake.

FWIW I meant if the client is Windows7/old-Outlook then changing either 993/SSL or 143/STARTTLS to 143/NONE could help pick up the mail. We had to do this for a 100 or so clients a few months ago after upgrading to Ubuntu 20.04.

Plaintext access is no problem if the connection is secured via other means - for example internal network or VPN. If the IMAP server cannot be accessed from the outside, and the traffic don't travel over wifi or public networks, no danger.

-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org dovecot-bounces@dovecot.org För Alexander Dalloz Skickat: den 7 juli 2020 18:05 Till: dovecot@dovecot.org Ämne: Re: Outlook vs Thunderbird

Am 07.07.2020 um 08:07 schrieb Mark Constable:

FWIW I meant if the client is Windows7/old-Outlook then changing either 993/SSL or 143/STARTTLS to 143/NONE could help pick up the mail. We had to do this for a 100 or so clients a few months ago after upgrading to Ubuntu 20.04.

Curious, what's the rationale behind that move? Is it because that old beast of Outlook does not have the capabilities modern TLS/STARTTLS implementations require regarding TLS minimal version and ciphers?

But plaintext auth for mail access, seriously?

Alexander

Sorry about that, its just outlook that does that by default. But manually deleted your adress now in reply. I don't know what you mean with "top posting"?

What I mean is that if you have another security on the connection (be it physical security - the connection doesn't go over public means, or VPN - connection level encryption) then you don't need another encryption on top of that.

Of course you must judge other risks in the physical enviroment - if a hacker connects his laptop to a guest wifi or reception RJ45 port and ARP spoofs - whats gonna happen? So you must of course segment and separate those networks from your internal LAN (so a hacker is now gonna need a access badge to even get a foot into the internal LAN), and also activate static ARP in your switches so even if a hacker ARP spoofs (from an infected client inside internal LAN), nothing gonna come out of the pipe.

-----Ursprungligt meddelande----- Från: dovecot-bounces@dovecot.org dovecot-bounces@dovecot.org För Alexander Dalloz Skickat: den 7 juli 2020 18:30 Till: dovecot@dovecot.org Ämne: Re: SV: Outlook vs Thunderbird

Am 07.07.2020 um 18:11 schrieb Sebastian Nielsen:

Plaintext access is no problem if the connection is secured via other means - for example internal network or VPN. If the IMAP server cannot be accessed from the outside, and the traffic don't travel over wifi or public networks, no danger.

First of all, please keep answers on the mailing list only. Obviously I am subscribe and I don't need to get your reply twice, by list distribution and in addition to my personal address.

And top-posting is another thing you should avoid.

To your answer: I disagree and see that you have a false understanding of security. You want service protocol encryption (here for IMAP or POP3) from end to end. Nothing which breaks up encryption in between.

That's valid for any size of environment. You may judge the risk is tolerable in case you run you own small setup where you are the only user. But I replied to Mark's note where he wrote about ~100 clients. So he either running an IMAP service for clients - where it is inresponsible to not teach them about security and instead lower the protection to none - or administering a company network for which end to end service encryption is a must too.

Alexander

On Tue, Jul 07, 2020 at 07:00:23PM +0200, Sebastian Nielsen wrote:

Sorry about that, its just outlook that does that by default.

Consider migrating to a MUA that, unlike Outlook, understands mailing lists.

For example, Mutt (which definitely sucks less than Outlook): http://www.mutt.org/doc/manual/#using-lists

I don't know what you mean with "top posting"?

Read this: https://www.netmeister.org/news/learn2quote2.html#ss2.3

That FAQ was written for Usenet, but also applies to email.

-- A: When it messes up the order in which people normally read text. Q: When is top-posting a bad thing?

() ASCII ribbon campaign. Please avoid HTML emails & proprietary /\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.

On 8/7/20 2:04 am, Alexander Dalloz wrote:

...

FWIW I meant if the client is Windows7/old-Outlook then changing either 993/SSL or 143/STARTTLS to 143/NONE could help pick up the mail. We had to do this for a 100 or so clients a few months ago after upgrading to Ubuntu 20.04.

Curious, what's the rationale behind that move? Is it because that old beast of Outlook does not have the capabilities modern TLS/STARTTLS implementations require regarding TLS minimal version and ciphers?

It involved Windows7 customers and older Apple device users.

Recent versions of Thunderbird on Win7 still worked fine but even Outlook 2016 on Win7 could no longer pick up mail with SSL enabled. It happened after a Ubuntu server update to Dovecot and Openssl about 3 or 4 months ago.

But plaintext auth for mail access, seriously?

Tell me about it! We spent YEARS getting these same folks to change to secure settings (some of them have been with us for 20+ years) so it was heartbreaking to contact each one of them and talk them through disabling SSL.

I spent a week trying every cypher combination I could find via Google for Dovecot but with the phone going off the hook from complaints by customers not being able to pick up their mail. We had to respond with some solution so, after a week, disabling SSL was very reluctantly the only option left. We lost ~40 customers to outlook.com because of this.

Actually, there is a regedit "trick" for Win7 but that is beyond the ability of our customers to apply, and that doesn't help the older Apple device users.

FWIW.

On Wed, Jul 08, 2020 at 12:05:55PM +1000, Mark Constable wrote:

I spent a week trying every cypher combination I could find via Google for Dovecot but with the phone going off the hook from complaints by customers not being able to pick up their mail. We had to respond with some solution so, after a week, disabling SSL was very reluctantly the only option left. We lost ~40 customers to outlook.com because of this.

Ouch. But does outlook.com not require TLS? (I don't currently have an outlook.com account.)

If so, then why would customers be able to solve their problem by moving to outlook.com? Maybe by using outlook.com's webmail interface, I guess, but you could presumably compete with this by offering Squirrelmail or Roundcube.

Yet another possible workaround for customers using email clients or operating systems that don't speak recent versions of TLS is to have them install stunnel on their PC, or else to send them a box (e.g. Raspberry Pi) running stunnel that they can put on their LAN/WLAN:

https://joewein.net/blog/2018/07/04/outlook-express-error-0x800ccc0b-and-the...

https://en.wikipedia.org/wiki/Stunnel

Of course, the main problem with sending a box is that it would periodically require software updates & reboots. If you already have a routine for upgrading software on boxes on customer premises, then include the boxes in that routine; otherwise, it's a headache.

Also, the stunnel approach would not help for non-jailbroken iOS devices except while they are downstream of an stunnel box. So, OK over the WLAN but no good while on mobile data.

Anyway, good luck!

-- A: When it messes up the order in which people normally read text. Q: When is top-posting a bad thing?

() ASCII ribbon campaign. Please avoid HTML emails & proprietary /\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.

Tanstaafl skrev den 2020-07-15 21:28:

On Tue Jul 07 2020 02:07:08 GMT-0400 (Eastern Standard Time), Mark Constable markc@renta.net wrote:

...

FWIW I meant if the client is Windows7/old-Outlook then changing either 993/SSL or 143/STARTTLS to 143/NONE could help pick up the mail. We had to do this for a 100 or so clients a few months ago after upgrading to Ubuntu 20.04.

Really, really bad idea. You just disabled an/all security on your imap connection.

windows 7 just need tls 1.0, why its need to disabled all, is aswell beyong me, do not disable tls 1.0 in dovecot aslong one have windows 7 clients

upgrade all clients to windows 10, then tls 1.0 and more weak tls 1.1 can be disabled in dovecot

hope the best for all

On Thu, Jul 16, 2020 at 12:16:19PM +1000, Mark Constable wrote:

Would anyone with Windows7 clients be able to provide me with the EXACT set of ssl_* settings that should work with W7 please?

Also consider improving Windows 7 TLS usage:

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-an...

-- Emmanuel Dreyfus manu@netbsd.org