Dovecot won't accept IMAP TLS 1 connections from older devices [SOLVED]
Aki Tuomi
aki.tuomi at open-xchange.com
Fri Oct 16 07:58:55 EEST 2020
> On 16/10/2020 07:18 Brian Martin <bmartin at silverflash.net> wrote:
>
>
> I've spent days scouring the Internet and trying various solutions on a
> problem with my Dovecot installation, so I thought I'd share what I
> learned in hopes of saving other people a lot of time. The dedicated
> Dovecot hands will know all of the following already. This is for those
> of us that have to cover a lot of bases.
>
> I upgraded my mail server from Ubuntu 18.04.1 to Ubuntu 20.04.1, and
> found that older Mac-books and iPads (and probably other devices) could
> no longer establish IMAP connections to Dovecot. Dovecot logged:
>
> SSL routines:tls_early_post_process_client_hello:unsupported protocol
>
> and TCP/IP traces showed that it dropped the connection after the
> client's initial HELLO. I tested what kinds of connections Dovecot
> would accept with (for example):
>
> openssl s_client -tls1_1 -connect localhost:993 # Test whether
> TLSv1.1 is accepted - received "unsupported protocol" message.
>
> Searching showed that Dovecot has a parameter "ssl_min_protocol", which
> is documented as defaulting to TLSv1. Nevertheless I explicitly set it
> to TLSv1 with no effect. This was a red herring. I spent a long time
> looking to see if Dovecot had a bug in handling this newish parameter, etc.
>
> Eventually I came across one posting regarding a web server, that told
> me the OpenSSL libraries that Dovecot and lots of other packages use has
> a single configuration file for the entire system. In Ubuntu 20.04 it
> defaults to requiring TLSv1.2 or above. Changing the configuration for
> OpenSSL affects everything on the system using the library. I changed
> the file, restarted Dovecot, and it immediately accepted TLSv1 connections.
>
> Obviously I'd prefer to maintain the improved security of TLSv1.2, but
> in my case it was better to continue providing mail service at a lower
> security level than to deny service to some users until they upgraded
> their personal devices. You'll need to make your on decision on that score.
>
> The file to change is (on Ubuntu, at least) /usr/lib/ssl/openssl.cnf.
> The change consists of adding a line of code in the initial section that
> invokes several new sections later:
>
> In the initial section I added:
>
> openssl_conf = default_conf
>
> Then at the bottom of the file I added:
>
> [default_conf]
> ssl_conf = ssl_sect
>
> [ssl_sect]
> system_default = system_default_sect
>
> [system_default_sect]
> MinProtocol = TLSv1
> CipherString = DEFAULT at SECLEVEL=1
>
> There is an alternative approach that I have read of but not tested.
> Basically you can create a new file elsewhere with the customized
> content, and then set an environmental variable (OPENSSL_CONF) just
> before launching Dovecot that points to your new file. This way, only
> Dovecot is using downgraded security. Since my mail server is a
> dedicated system and I didn't want to muck with the Dovecot start-up
> environment, I didn't feel the need to go that route.
>
> So all my digging into why Dovecot wouldn't accept TLSv1 connections and
> how to change it were completely on the wrong path. It would be nice if
> Dovecot could log a message when its ssl_min_protocol is set lower than
> what OpenSSL will accept, but Dovecot may not be able to tell what
> OpenSSL is doing. In any case, those are the symptoms, the real
> problem, and how to fix it. Good luck, and thanks to Matt Caswell for
> posting the answer that I eventually found.
>
> Ref:
> https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
Yeah. This is a known issue, and we have a ticket about allowing configuring the minimum accepted level on dovecot. It has not been done yet, though.
Thank you for the workaround.
Aki
More information about the dovecot
mailing list