Hi there,
I have a bit old Dovecot instance (Ubuntu 14.04 - there is no chance to upgrade it), with these versions of packages:
- Dovecot: 2.2.9
- OpenSSL: 1.0.1f
Few days ago a client noticed me, that he can't reach his mails through his Office 365. He uses POP3S.
I tried to set up a same client for this Dovecot server, but when I configured the POP3 protocoll, after the settings check Office says:
Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server ...
While the client was trying, I see these lines in the log:
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF>
Which is weird, because I disabled SSLv3. Here is the (relevant) config:
ssl_cert = </etc/dovecot/dovecot.crt ssl_key = </etc/dovecot/dovecot.key ssl_dh_parameters_length = 2048 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA verbose_ssl = yes
When I check the supported encryption type with nmap, I get this:
$ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST Nmap scan report for 192.168.8.21 Host is up (0.021s latency).
PORT STATE SERVICE 995/tcp open pop3s | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ,,, |_ least strength: C
When I check the traffic with tcpdump, I see that client uses TLSv1.2:
https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png
Only the one client who reported the problem, and my test client can't reach the server - other (about) 400 users can (but I don't know with what kind of types of clients - most use Thunderbird).
What can I do? How can I fix this problem? As I wrote, this problem has came few days ago suddenly...
Thanks,
a.
On Sat, Oct 22, 2022 at 11:31 AM Ervin Hegedüs <airween@gmail.com> wrote:
Hi there,
I have a bit old Dovecot instance (Ubuntu 14.04 - there is no chance to upgrade it), with these versions of packages:
- Dovecot: 2.2.9
- OpenSSL: 1.0.1f
Few days ago a client noticed me, that he can't reach his mails through his Office 365. He uses POP3S.
I tried to set up a same client for this Dovecot server, but when I configured the POP3 protocoll, after the settings check Office says:
Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server ...
While the client was trying, I see these lines in the log:
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF>
Which is weird, because I disabled SSLv3. Here is the (relevant) config:
ssl_cert = </etc/dovecot/dovecot.crt ssl_key = </etc/dovecot/dovecot.key ssl_dh_parameters_length = 2048 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA verbose_ssl = yes
When I check the supported encryption type with nmap, I get this:
$ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST Nmap scan report for 192.168.8.21 Host is up (0.021s latency).
PORT STATE SERVICE 995/tcp open pop3s | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ,,, |_ least strength: C
When I check the traffic with tcpdump, I see that client uses TLSv1.2:
https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png
Only the one client who reported the problem, and my test client can't reach the server - other (about) 400 users can (but I don't know with what kind of types of clients - most use Thunderbird).
What can I do? How can I fix this problem? As I wrote, this problem has came few days ago suddenly...
If the client is running Windows 11 and recently updated to 22H2, then you may be interested in the below:
https://support.microsoft.com/en-us/topic/october-17-2022-kb5020387-os-build...
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
On Sat, Oct 22, 2022 at 12:49:29PM +0300, Odhiambo Washington wrote:
On Sat, Oct 22, 2022 at 11:31 AM Ervin Hegedüs <airween@gmail.com> wrote:
Hi there,
I have a bit old Dovecot instance (Ubuntu 14.04 - there is no chance to upgrade it), with these versions of packages:
- Dovecot: 2.2.9
- OpenSSL: 1.0.1f
[...]
If the client is running Windows 11 and recently updated to 22H2, then you may be interested in the below:
https://support.microsoft.com/en-us/topic/october-17-2022-kb5020387-os-build...
no, I'm sure the clients are Windows 10. The test machine what I got wasn't turned on months ago. So I assume most updates are missing there...
thanks,
a.
We had the same problem starting around October 14th - 'unsupported encryption type' - we were running Dovecot 2.2.32. It was resolved by upgrading Dovecot, in our case, to v2.3.7
Jeff
On 10/22/2022 4:30 AM, Ervin Hegedüs wrote:
Hi there,
I have a bit old Dovecot instance (Ubuntu 14.04 - there is no chance to upgrade it), with these versions of packages:
- Dovecot: 2.2.9
- OpenSSL: 1.0.1f
Few days ago a client noticed me, that he can't reach his mails through his Office 365. He uses POP3S.
I tried to set up a same client for this Dovecot server, but when I configured the POP3 protocoll, after the settings check Office says:
Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server ...
While the client was trying, I see these lines in the log:
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF>
Which is weird, because I disabled SSLv3. Here is the (relevant) config:
ssl_cert = </etc/dovecot/dovecot.crt ssl_key = </etc/dovecot/dovecot.key ssl_dh_parameters_length = 2048 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA verbose_ssl = yes
When I check the supported encryption type with nmap, I get this:
$ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 Starting Nmap 7.80 (https://nmap.org ) at 2022-10-22 10:20 CEST Nmap scan report for 192.168.8.21 Host is up (0.021s latency).
PORT STATE SERVICE 995/tcp open pop3s | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ,,, |_ least strength: C
When I check the traffic with tcpdump, I see that client uses TLSv1.2:
https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png
Only the one client who reported the problem, and my test client can't reach the server - other (about) 400 users can (but I don't know with what kind of types of clients - most use Thunderbird).
What can I do? How can I fix this problem? As I wrote, this problem has came few days ago suddenly...
Thanks,
a.
Hi Jeff,
On Sat, Oct 22, 2022 at 09:05:42AM -0400, Jeff Koch wrote:
We had the same problem starting around October 14th - 'unsupported encryption type' - we were running Dovecot 2.2.32. It was resolved by upgrading Dovecot, in our case, to v2.3.7
well, thanks for you answer (and also thanks for Zakaria).
This is a sad news, but if there is no other chance... I have to reinstall the whole machine.
The explained behavior is a bit odd, because if the user replace the hostname of the IMAP/POP server by the IP address of the server at the settings, then client notices him that the certificate is non-valid (because of the FQDN), but after it works...
Thanks,
a.
On 2022-10-22 09:30, Ervin Hegedüs wrote:
Hi there,
I have a bit old Dovecot instance (Ubuntu 14.04 - there is no chance to upgrade it), with these versions of packages:
- Dovecot: 2.2.9
- OpenSSL: 1.0.1f
Few days ago a client noticed me, that he can't reach his mails through his Office 365. He uses POP3S.
I tried to set up a same client for this Dovecot server, but when I configured the POP3 protocoll, after the settings check Office says:
Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server ...
While the client was trying, I see these lines in the log:
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF>
Which is weird, because I disabled SSLv3. Here is the (relevant) config:
ssl_cert = </etc/dovecot/dovecot.crt ssl_key = </etc/dovecot/dovecot.key ssl_dh_parameters_length = 2048 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA verbose_ssl = yes
When I check the supported encryption type with nmap, I get this:
$ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST Nmap scan report for 192.168.8.21 Host is up (0.021s latency).
PORT STATE SERVICE 995/tcp open pop3s | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ,,, |_ least strength: C
When I check the traffic with tcpdump, I see that client uses TLSv1.2:
https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png
Only the one client who reported the problem, and my test client can't reach the server - other (about) 400 users can (but I don't know with what kind of types of clients - most use Thunderbird).
What can I do? How can I fix this problem? As I wrote, this problem has came few days ago suddenly...
Thanks,
a.
Hi,
You might want to check incoming releases changelog https://doc.dovecot.org/3.0/installation_guide/upgrading/from-2.3-to-3.0/
Notice the point " OpenSSL support for older than 1.0.2: Older versions are not supported anymore. "
I think you should be able to upgrade in the same instance both openssl and dovecot if you compile it manually. Also, you can install additional openssl, and load its module e.g. as libssl.so and move older libssl.so.1.0.1 so to be the default. Make sure to install anything above 1.0.1.
Good luck.
Zakaria.
participants (4)
-
Ervin Hegedüs
-
hi@zakaria.website
-
Jeff Koch
-
Odhiambo Washington