[Dovecot] TLS/SSL for Win8 & Outlook

Jerry jerry at seibercom.net
Thu Jun 26 10:11:43 UTC 2014

On Thu, 26 Jun 2014 11:53:49 +0200, Adi Kriegisch stated:

> On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote:
> > Am 21.05.2014 19:47, schrieb Sebastian Goodrick:
> > > I just installed the (rapid-ssl) certificate and it works now.
> > > Needless to say that I don't understand it. The old certificate worked
> > > with all other clients but win8/outlook, plus the old dovecot install
> > > worked with win8/outlook as well.
> I am struggling with the same issue for some time now: win8/outlook isn't
> able to connect to dovecot 2.2.9 (from Debian/backports); the error on the
> outlook side of things is 0x800CCC0E which is really helpful.
> The suggestion to disable TLSv1.2 on the windows side is dangerous:
> win8/8.1 requires TLSv1.2 for downloading updates -- no TLSv1.2, no
> updates. If absolutely necessary, disable TLSv1.2 on the dovecot side of
> things!
> I decided to do some additional debugging by running 'openssl s_server' on
> the imap server with the very same certificates and settings (as far as it
> is possible with s_server) on a different port, changed the port in outlook
> and manually proxied the imap requests through: That way outlook works just
> fine:
> openssl s_server -tls1_2 -accept 8993 -cert /etc/dovecot/my.crt \
>     -key /etc/dovecot/private/my.key -serverpref -cipher '...(*)' \
>     -dhparam /root/group16.pem
> (group16.pem contains 4096bit DH params that are standardized; on the
> dovecot side, the dhparam length is set to 4096bit as well)
> The very same thing happens with two different classes of ciphers:
> ECDHE-RSA-AES256-SHA (which is what win8/outlook used to use before the
> last update) and with DHE-RSA-AES256-GCM-SHA384 (which was just recently
> added by the last update by Microsoft). So neither EC nor DHE cause any
> changes in the behavior (as I was suspecting dovecot's dh params for some
> time).
> I think something in the handshake doesn't work the way it should and
> causes ms crypto api (v6.3 and v6.2) to just close the connection after
> handshake (a paket capture just shows the client sends a RST after key
> exchange).
> > there where some bugfixes with certificates ( windows )
> > but that should not impact brand new installs with full recent patch level
> AFAIK new (pretty cool) ciphers were introduced and I don't see how the
> issue can be solved by changing the certificate: I used a cert from CACert
> and a Cert signed by my own CA -- both resulting in a non-working
> connection between dovecot and outlook on win8(.1).
> However using the very same certificate with OpenSSL's s_server, the
> connection worked just fine (as did disabling TLSv1.2) -- both indicators
> that the certificates are just fine.
> The only thing I can imagine that EC and DHE have in common are some SSL
> extensions like session tickets (which outlook tried to use). Here are the
> details of the session outlook established with s_server:
> openssl sess_id -text -in param
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : C014             ## this is ECDHE-RSA-AES256-SHA
> or: 
>     Cipher    : 009F             ## this is with DHE-RSA-AES256-GCM-SHA384
>     Session-ID:
>     Session-ID-ctx: 01000000
>     Master-Key: (...)
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1403774959
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
> I hope someone can help me/us out here!
> Thanks!
> -- Adi
> (*) see https://bettercrypto.org for a usable cipher string...

I did some checking on MS forums for this problem.

SMTP, Port: 25, Secure(SSL): No, Socket Error: 10060, Error Number: 0x800CCC0E

According to many of the posters, the problem is often causes by the AV
program blocking or messing with port 25.

What version of Outlook are you using anyway?


More information about the dovecot mailing list