Apple Mail Since upgrade to dovecot 2.3.x unable to connect
|Dear all,|
|a couple of days ago I upgraded our server from Ubuntu 18.04 to 20.04, thereby upgrading dovecot from 2.2.x to 2.3.x. |
|Since then, some older versions of apple's mail.app (bundled with el Capitano, released in 2016) no longer connect. When I turn on SSL debugging, I see:|
|Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument|
||
|Unfortunately, it doesn't reveal the name of the unsupported protocol. Also, what about the failed syscall? Does dovecot try and fail to open some file?|
|Here are the contents of /etc/dovecot/conf.d/10-ssl.conf:|
| ssl = yes ssl_cert = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/fullchain.pem ssl_key = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/key.pem ssl_ca = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/ca.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = </etc/dovecot/dh.pem |
|I would greatly appreciate any hints! |
|Cheers,|
|Johannes |
| |
||
On 17/08/2020 12:51 Johannes Rohr <jorohr@gmail.com> wrote:
|Dear all,|
|a couple of days ago I upgraded our server from Ubuntu 18.04 to 20.04, thereby upgrading dovecot from 2.2.x to 2.3.x. |
|Since then, some older versions of apple's mail.app (bundled with el Capitano, released in 2016) no longer connect. When I turn on SSL debugging, I see:|
|Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument|
||
|Unfortunately, it doesn't reveal the name of the unsupported protocol. Also, what about the failed syscall? Does dovecot try and fail to open some file?|
|Here are the contents of /etc/dovecot/conf.d/10-ssl.conf:|
| ssl = yes ssl_cert = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/fullchain.pem ssl_key = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/key.pem ssl_ca = </etc/ssl/letsencrypt/idaweb-mail.rooot.de/ca.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = </etc/dovecot/dh.pem |
|I would greatly appreciate any hints! |
|Cheers,|
|Johannes |
| |
||
You need to set
ssl_min_protocol = TLSv1.2 # or TLSv1
Aki
Am 17.08.20 um 12:16 schrieb Aki Tuomi:
You need to set
ssl_min_protocol = TLSv1.2 # or TLSv1
Thanks, tried both, but unsuccessfully. Again, is there any debug setting that allows me to see what SSL version was requested? Without this, this is fumbling in the dark.
Cheers,
Johannes
You need to set
ssl_min_protocol = TLSv1.2 # or TLSv1
Thanks, tried both, but unsuccessfully. Again, is there any debug setting that allows me to see what SSL version was requested? Without this, this is fumbling in the dark.
In the german version of Apple Mail go to menu "Fenster" / "Verbindug prüfen".
There you can check the connection and log all transactions.
I don't know how detailed this is in older Apple Mail versions, but you could try.
READ Aug 17 13:05:32.041 [kCFStreamSocketSecurityLevelTLSv1_2] -- host:mail.server.com -- port:587 -- socket:0x600005ff1980 -- thread:0x60000e5cb340 235 2.7.0 Authentication successful
Best regards Gerald
Am 17.08.20 um 13:10 schrieb Gerald Galster:
You need to set
ssl_min_protocol = TLSv1.2 # or TLSv1 Thanks, tried both, but unsuccessfully. Again, is there any debug setting that allows me to see what SSL version was requested? Without this, this is fumbling in the dark. In the german version of Apple Mail go to menu "Fenster" / "Verbindug prüfen".
There you can check the connection and log all transactions.
I don't know how detailed this is in older Apple Mail versions, but you could try.
READ Aug 17 13:05:32.041 [kCFStreamSocketSecurityLevelTLSv1_2] -- host:mail.server.com -- port:587 -- socket:0x600005ff1980 -- thread:0x60000e5cb340 235 2.7.0 Authentication successful
Thanks Gerald, I'll try that. Strange though that the info isn't in the dovecot debug log.
Cheers,
Johannes
Best regards Gerald
On 17 Aug 2020, at 05:10, Gerald Galster <list+dovecot@gcore.biz> wrote:
I don't know how detailed this is in older Apple Mail versions
I don't think the detail has changed in many many years, if at all. I remember using the logs to troubleshoot security issues 15 years ago.
Mac OS 10.11 El Capitan was released in 2015, not 2016, but I don't think that makes any difference. El Capitan uses outdate versions of openssl (0.9.9). Sierra (10.12) and High Sierra (10.13) have an updated stack and work fine with TLSv1.2.
Because the issue is the unix level tools, this is not generally something you can work around with a third-arty client unless you find one with its own stack. Webmail would be the solution if someone refuses or is unable to update.
Any machine that is less than about 10-12 years old can update to 10.13 at no cost though.
-- I said pretend you've got no money, she just laughed and said, 'Eh you're so funny.' I said, 'Yeah? Well I can't see anyone else smiling in here.'
On Mon, 17 Aug 2020, Johannes Rohr wrote:
You need to set
ssl_min_protocol = TLSv1.2 # or TLSv1
Thanks, tried both, but unsuccessfully.
Don't give up too easily/early on this.
I said this before, but MacOSX Mail behaves weirdly. I've more than once changed a server setting, without apparent effect, only to have MacOSX Mail mysteriously start working again after some time. Maybe it caches settings. Also, disable "Automatic manage connection" as failure to establish a successful session will cause your client to do some auto-wandering to discover settings, which could really do your head in.
Joseph Tam <jtam.home@gmail.com>
participants (6)
-
@lbutlr
-
Aki Tuomi
-
Gerald Galster
-
Johannes Rohr
-
Johannes Rohr
-
Joseph Tam