Hi Folks,
after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine.
I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2
The certificate is from Comodo using sha256.
Any idea?
Oliver
-- Protect your environment - close windows and adopt a penguin!
Am 16.01.2015 um 12:24 schrieb Oliver Welter:
Hi Folks,
after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine.
I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2
The certificate is from Comodo using sha256.
Any idea?
Oliver
there is no "Outlook", please do a exact debug what Outlook and Windows Version, disable TLSv1.2 is a bad idea, my bet goes on your ssl_cipher_list, try this
# SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
or search list archive and www for other better solutions and general dovecot ssl configs
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Sun, 18 Jan 2015 09:45:16 +0100, Robert Schetterer stated:
Am 16.01.2015 um 12:24 schrieb Oliver Welter:
Hi Folks,
after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine.
I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2
The certificate is from Comodo using sha256.
Any idea?
Oliver
there is no "Outlook", please do a exact debug what Outlook and Windows Version, disable TLSv1.2 is a bad idea, my bet goes on your ssl_cipher_list, try this
# SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
or search list archive and www for other better solutions and general dovecot ssl configs
I have: ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL and Outlook 2013 works fine.
-- Jerry
Am 18.01.2015 um 12:07 schrieb Jerry:
I have: ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL and Outlook 2013 works fine
but you break *for sure* older clients and should *not* recommend that broken setup untested and believe you are helping with it
!SSLv3 has no business in the cipher list you disable ciphers still valid for TLS that way
that was all discussed dozenz of times here ssl_protocols = !SSLv2 !SSLv3
*remove !SSLv3 from teh cipher list* and if you now say your dovecot version don't support "ssl_protocols" then upgrade or just accept that you can't have outdated software and state of the art protovol support
On 1/18/2015 12:45 AM, Robert Schetterer wrote:
Am 16.01.2015 um 12:24 schrieb Oliver Welter:
Hi Folks,
after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine.
I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2
The certificate is from Comodo using sha256.
Any idea?
Oliver
there is no "Outlook", please do a exact debug what Outlook and Windows Version, disable TLSv1.2 is a bad idea, my bet goes on your ssl_cipher_list, try this
# SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
or search list archive and www for other better solutions and general dovecot ssl configs
I have this in production:
ssl_cipher_list = HIGH+kEECDH:HIGH+kEDH:!aNULL:-3DES:+AES256:+SHA:AES128-SHA:DES-CBC3-SHA ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2
- AES128-SHA & TLSv1 for some Android v4.3 and earlier
- DES-CBC3-SHA & TLSv1 for Outlook 2003 on Windows XP
- TLSv1 for Thunderbird prior to v27
- TLSv1 for Outlook on Windows Vista/2008
- TLSv1 for Outlook on Windows 7 or 8 without IE 11 installed
Everything else supports at least DHE-AES on TLSv1.1 or 1.2. The cipherspec provides AES128, AES256 and Camellia; with AES128 and Camellia preferred over AES256, and SHA2 preferred over SHA1.
Hi All,
Am 19.01.2015 um 22:55 schrieb Darren Pilgrim:
On 1/18/2015 12:45 AM, Robert Schetterer wrote:
Am 16.01.2015 um 12:24 schrieb Oliver Welter:
Hi Folks,
after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine.
I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2
The certificate is from Comodo using sha256.
I was not able to track it down exactly but it looks like the problem was a sha1 signed certificate in the chain. After exchanging that with the matching 384bit one, the problems are gone.
Oliver
-- Protect your environment - close windows and adopt a penguin!
Am 16.01.2015 um 12:24 schrieb Oliver Welter:
after adding TLSv1.2 to by TLS options
how did you do that?
there is no need to add it as long you did not break your configuration intentional the time before
a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine.
no
I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy.
I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014
ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH
!MEDIUM likely is the reason
ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2
The certificate is from Comodo using sha256
the confiig below works with every known Outlook version down to Outlook 2003 on Windows XP in combination with a RSA4096/SHA256 key as well as with all other reasonable mail clients
ssl_protocols = !SSLv2 !SSLv3 ssl_prefer_server_ciphers = yes ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA
participants (5)
-
Darren Pilgrim
-
Jerry
-
Oliver Welter
-
Reindl Harald
-
Robert Schetterer