I can no longer use TLS for Windows7 and Outlook
I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.
A few months ago there was an update to all these systems and since then I've had to talk W7 and old Mac clients through disabling ports 993/995 with TLS enabled back to ports 143/110 without SSL or they could not pick up email. Thunderbird users (ie; me) were unaffected.
Could anyone share a set of port 993/995 SSL settings known to work with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?
Mine is currently...
ssl_ca = </etc/ssl/certs/ca-certificates.crt ssl_cert = </etc/ssl/example.com/fullchain.pem ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_options = no_compression no_ticket ssl_prefer_server_ciphers = yes
I have commented out ssl_cipher_list, ssl_min_protocol and others to get back to whatever the defaults are so I am not simply guessing what the optimal settings would be to cover Win7 and up.
Yes I know Win7 is no longer supported but that does not help the 100s of older users I have that can't/won't upgrade their computers.
On May 31, 2020 6:36:52 AM GMT+02:00, Mark Constable <markc@renta.net> wrote:
I would under no circumstances allow access without TLS. You could also switch back to an older version of Ubuntu / openssl which in turn would allow the old clients to use SSL/TLS again. This would allow for an extended time period getting those clients to upgrade their OS.
TLS 1.1 & TLS 1.2 are enabled by default on post Windows 8.1 releases. Prior to that they were disabled by default. So the administrators have to enable the settings manually via the registry. Refer this article on how to enable this protocols via registry: https://support.Microsoft.com/en-us/kb/187498
I haven't tested this as I don't have a Win7 installation available.
Good luck.
[1] https://support.globalsign.com/ssl/general-ssl/tls-protocol-compatibility [2] https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-proto...
Christian Kivalo
On 30 May 2020, at 22:36, Mark Constable <markc@renta.net> wrote:
993/995 with TLS enabled back to ports 143/110 without SSL or they could not pick up email. Thunderbird users (ie; me) were unaffected.
Insecure mail login is far too risky to allow. I don't even allow it within a LAN.
Could anyone share a set of port 993/995 SSL settings known to work with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?
If the users cannot upgrade to an OS that works with TLS 1.2, then you need to either move them to a client that does its own TLS handling, or setup webmail (like Horde or Raoundcube).
Those clients on older machines are similarly going to have trouble accessing banks, health sites, or other secure logins as TLS 1.0 and 1.1 are not supported anymore. In fact, if it were not for the current pandemic, their browsers would already have lost TLS 1.0 and 1.1 abilities.
-- Margo: Give me a phaser and a red shirt. Male centurion: What?
On 5/31/20 11:54 AM, Aki Tuomi wrote:
Since you mention the newest Ubuntu version, it may (most likely) be necessary to enable TLS 1.0 / 1.1 in openssl as well. I ran into this with Debian 10 some time ago.
/etc/ssl/openssl.conf
[system_default_sect] -MinProtocol = TLSv1.2 +MinProtocol = TLSv1
In terms of Dovecot ciphers config, Windows should be happy with TLS_RSA_WITH_3DES_EDE_CBC_SHA which is less broken than the other older ciphers.
-- K
On 31-5-2020 06:36, Mark Constable wrote:
Did you enable TLS1.2 in Windows 7?
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-an...
(or, not tested on Windows 7: https://www.nartac.com/Products/IISCrypto/ )
participants (7)
-
@lbutlr
-
Aki Tuomi
-
Benny Pedersen
-
Christian Kivalo
-
Kostya Vasilyev
-
Luuk
-
Mark Constable