Office 365 SSL issue

hi at zakaria.website hi at zakaria.website
Sat Oct 22 13:21:39 UTC 2022 

On 2022-10-22 09:30, Ervin Hegedüs wrote:
> Hi there,
> 
> I have a bit old Dovecot instance (Ubuntu 14.04 - there is no
> chance to upgrade it), with these versions of packages:
> 
> * Dovecot: 2.2.9
> * OpenSSL: 1.0.1f
> 
> Few days ago a client noticed me, that he can't reach his mails
> through his Office 365. He uses POP3S.
> 
> I tried to set up a same client for this Dovecot server, but when
> I configured the POP3 protocoll, after the settings check Office
> says:
> 
> Your server does not support the connection encryption type you
> have specified. Try changing the encryption method. Contact your
> mail server ...
> 
> While the client was trying, I see these lines in the log:
> 
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, 
> ret=1: before/accept initialization [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, 
> ret=1: before/accept initialization [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, 
> ret=1: SSLv3 read client hello A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, 
> ret=1: SSLv3 write server hello A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, 
> ret=1: SSLv3 write certificate A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, 
> ret=1: SSLv3 write key exchange A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, 
> ret=1: SSLv3 write server done A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, 
> ret=1: SSLv3 flush data [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, 
> ret=-1: SSLv3 read client certificate A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, 
> ret=-1: SSLv3 read client certificate A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: 
> where=0x2002: SSLv3 read client certificate A [192.168.8.133]
> Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth 
> attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS 
> handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF>
> 
> Which is weird, because I disabled SSLv3. Here is the (relevant)
> config:
> 
> ssl_cert = </etc/dovecot/dovecot.crt
> ssl_key = </etc/dovecot/dovecot.key
> ssl_dh_parameters_length = 2048
> ssl_protocols = !SSLv2 !SSLv3
> ssl_cipher_list = 
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> verbose_ssl = yes
> 
> When I check the supported encryption type with nmap, I get this:
> 
> $ nmap --script ssl-enum-ciphers -p 995 192.168.8.21
> Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST
> Nmap scan report for 192.168.8.21
> Host is up (0.021s latency).
> 
> PORT    STATE SERVICE
> 995/tcp open  pop3s
> | ssl-enum-ciphers:
> |   TLSv1.0:
> |     ciphers:
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |   ...
> |   TLSv1.1:
> |     ciphers:
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |   ...
> |   TLSv1.2:
> |     ciphers:
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |   ,,,
> |_  least strength: C
> 
> When I check the traffic with tcpdump, I see that client
> uses TLSv1.2:
> 
> https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png
> 
> Only the one client who reported the problem, and my test client
> can't reach the server - other (about) 400 users can (but I don't
> know with what kind of types of clients - most use Thunderbird).
> 
> 
> What can I do? How can I fix this problem? As I wrote, this
> problem has came few days ago suddenly...
> 
> 
> Thanks,
> 
> 
> a.

Hi,

You might want to check incoming releases changelog
https://doc.dovecot.org/3.0/installation_guide/upgrading/from-2.3-to-3.0/

Notice the point " OpenSSL support for older than 1.0.2: Older versions 
are not supported anymore. "

I think you should be able to upgrade in the same instance both openssl 
and dovecot if you compile it manually. Also, you can install additional 
openssl, and load its module e.g. as libssl.so and move older 
libssl.so.1.0.1 so to be the default. Make sure to install anything 
above 1.0.1.

Good luck.

Zakaria.

More information about the dovecot mailing list