TLS problem with iOS 9 Mail clients

[Maik Musall]

> Am 02.01.2021 um 01:42 schrieb @lbutlr <kremels at kreme.com>:
> 
> On 01 Jan 2021, at 16:01, Maik Musall <lists at musall.de> wrote:
>> recently I migrated my mail server from an Ubuntu 16.04 box to an Ubuntu 20.04 box, so from dovecot 2.2.22 to 2.3.7.2, and to openssl 1.1.1.f. While everything else works fine, I have one important user stuck on an iOS 9 device that I need to support for a while longer, with which the IMAP TLS handshake keeps failing. From the logs:
> 
> macOS 9 does not support any currently valid and support TLS version and cannot communicate on the Internet securely.
> 
>> Does anyone have an idea what else I could try?
> 
> Have them get an iPad for mail? I don't think they can even use secure webmail.

I think you misread that. It’s not macOS 9, it’s iOS 9. So it IS an iPad, but an iPad mini first generation, which can’t run anything newer than iOS 9.

After a hint via a private email and some more investigation, turns out I would have to lower the overall security level by applying a custom openssl config to dovecot (see https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level). I would be ok to allow ONE cipher/TLS combination that matches what iOS 9 Mail can do, but I’m not willing to do it this way. I’d rather buy the user a newer iPad ;-)

It’s a pity that Apple botched this Mail.app release. They increased security in iOS 9 for all sorts of other things, including requiring TLS 1.2 for app security, but apparently they forgot to update Mail along with it.

Maik

P.S. I got dozens of DMARC warnings on my previous email because my server applied a DKIM signature, and the dovecot mailing list server didn’t remove it and also didn’t apply it’s own… had to exclude mails to this list from being DKIM-signed. So if anyone receives this, but not my previous mail, that is probably the reason.