Office 365 SSL issue
Jeff Koch
jeffkoch at intersessions.com
Sat Oct 22 13:05:42 UTC 2022
We had the same problem starting around October 14th - 'unsupported
encryption type' - we were running Dovecot 2.2.32. It was resolved by
upgrading Dovecot, in our case, to v2.3.7
Jeff
On 10/22/2022 4:30 AM, Ervin Hegedüs wrote:
> Hi there,
>
> I have a bit old Dovecot instance (Ubuntu 14.04 - there is no
> chance to upgrade it), with these versions of packages:
>
> * Dovecot: 2.2.9
> * OpenSSL: 1.0.1f
>
> Few days ago a client noticed me, that he can't reach his mails
> through his Office 365. He uses POP3S.
>
> I tried to set up a same client for this Dovecot server, but when
> I configured the POP3 protocoll, after the settings check Office
> says:
>
> Your server does not support the connection encryption type you
> have specified. Try changing the encryption method. Contact your
> mail server ...
>
> While the client was trying, I see these lines in the log:
>
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF>
>
> Which is weird, because I disabled SSLv3. Here is the (relevant)
> config:
>
> ssl_cert = </etc/dovecot/dovecot.crt
> ssl_key = </etc/dovecot/dovecot.key
> ssl_dh_parameters_length = 2048
> ssl_protocols = !SSLv2 !SSLv3
> ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> verbose_ssl = yes
>
> When I check the supported encryption type with nmap, I get this:
>
> $ nmap --script ssl-enum-ciphers -p 995 192.168.8.21
> Starting Nmap 7.80 (https://nmap.org ) at 2022-10-22 10:20 CEST
> Nmap scan report for 192.168.8.21
> Host is up (0.021s latency).
>
> PORT STATE SERVICE
> 995/tcp open pop3s
> | ssl-enum-ciphers:
> | TLSv1.0:
> | ciphers:
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> | ...
> | TLSv1.1:
> | ciphers:
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> | ...
> | TLSv1.2:
> | ciphers:
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> | ,,,
> |_ least strength: C
>
> When I check the traffic with tcpdump, I see that client
> uses TLSv1.2:
>
> https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png
>
> Only the one client who reported the problem, and my test client
> can't reach the server - other (about) 400 users can (but I don't
> know with what kind of types of clients - most use Thunderbird).
>
>
> What can I do? How can I fix this problem? As I wrote, this
> problem has came few days ago suddenly...
>
>
> Thanks,
>
>
> a.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20221022/3926966f/attachment.htm>
More information about the dovecot
mailing list