[Dovecot] TLS/SSL for Win8 & Outlook

[Robert Schetterer]

Am 07.05.2014 21:15, schrieb Sebastian Goodrick:
> Hello
> 
> I recently upgraded to dovecot 2.1.7 (as supplied with Debian Weezy).
> All clients work as expected except for Outlook (2013 &2010) on Win8
> with a SSL/TLS connection. (Thunderbird on Win8 and Outlook 2013 on
> Win 7 works fine. On my previous dovecot version 1.2.13 all clients
> worked.)
> As far as I understand, one difference is the support for TLS1.2 and
> SSL3. And on the client side Win8 is now connecting through the
> Microsoft Unified Security Protocol Provider.
> 
> My logs show these issues:
> 
> Dovecot:
> May 06 21:05:43 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3
> read client certificate A [78.42.x.x]
> May 06 21:05:43 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv3
> read client certificate A [78.42.x.x]
> May 06 21:05:43 imap-login: Warning: SSL failed: where=0x2002: SSLv3
> read client certificate A [78.42.x.x]
> May 06 21:05:43 imap-login: Info: Disconnected (no auth attempts in 0
> secs): user=<>, rip=78.42.x.x, lip=144.76.x.x, TLS handshaking: Disconnect
> 
> Outlook 2013 (contains German, translation in []):
> IMAP: 12:30:02 [db] Mit 'mail.xxx.de' wird eine Verbindung an Port 143
> hergestellt. [A connection to port 143 is established with 'mail.xxx.de']
> [snip]
> IMAP: 12:30:02 [rx] * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
> LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN
> AUTH=DIGEST-MD5 AUTH=CRAM-MD5] Welcome at mail.xxx.de
> [snip]
> IMAP: 12:30:02 [rx] hmpc OK Pre-login capabilities listed, post-login
> capabilities have more.IMAP: 12:30:02 [tx] ekum STARTTLS
> IMAP: 12:30:02 [db] OnNotify: asOld = 5, asNew = 5, ae = 3
> IMAP: 12:30:02 [rx] ekum OK Begin TLS negotiation now.
> IMAP: 12:30:02 [db] Mit 'Microsoft Unified Security Protocol Provider'
> wird eine sichere Verbindung ausgehandelt. [A secure connection is
> negotiated with 'Microsoft Unified Security Protocol Provider']
> IMAP: 12:30:02 [db] OnNotify: asOld = 5, asNew = 6, ae = 2
> IMAP: 12:30:03 [db] Die Verbindung mit 'mail.xxx.de' wurde
> geschlossen. [Connection to 'mail.xxx.de' has been closed.]
> IMAP: 12:30:03 [db] OnNotify: asOld = 6, asNew = 0, ae = 5
> IMAP: 12:30:03 [db] ERROR: "Es kann keine sichere Verbindung mit dem
> Server hergestellt werden.", hr=2148322330 [Can't establish a secure
> connection with the server.]
> 
> My settings for ssl_protocols and ssl_cipher_list are empty. Since it
> works with most clients, I assume no broken certificates or my dovecot
> configuration. The connection fails at the TLS/SSL handshake.
> Has anyone seen this behaviour, too? Is there a setting (for
> ssl_protocols and ssl_cipher_list) to support Outlook on Win8?
> 
> Thanks, Sebastian
> 

Before do more analysis, trible check
there are no auth problems with your setup
your log does not look like this, but dont ever trust
microsoft logs and its mysticals, check dove log too for auth problems,
as ever shut down any antivirus imap proxies firewalls too for testing

set dove debug ssl max verbose
perhaps use wireshark etc too

from
http://forum.mailtraq.com/viewtopic.php?f=7&t=1913

...
I have been diagnosing the problem with Windows 8 and we think it has
been identified, although we are still waiting for confirmation from
Microsoft. It appears that Microsoft have changed the TLS security
protocol requirements in the Unified Security Protocol Provider that
ships with Windows 8.
...

some other stuff

http://technet.microsoft.com/de-de/office/aa374757%28v=vs.71%29
http://technet.microsoft.com/de-de/office/bb870930%28v=vs.71%29
http://support.microsoft.com/kb/245030

perhaps i will run my own tests tommorow and report again



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein