<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 5/31/20 11:54 AM, Aki Tuomi wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2110204691.1168.1590915268528@appsuite-dev-gw2.open-xchange.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<div> <br>
</div>
<blockquote type="cite">
<div> On 31/05/2020 07:36 Mark Constable <<a
href="mailto:markc@renta.net" moz-do-not-send="true">markc@renta.net</a>>
wrote: </div>
<div> <br>
</div>
<div> <br>
</div>
<div> I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and
OpenSSL 1.1.1f. </div>
<div> <br>
</div>
<div> A few months ago there was an update to all these systems
and since </div>
<div> then I've had to talk W7 and old Mac clients through
disabling ports </div>
<div> 993/995 with TLS enabled back to ports 143/110 without SSL
or they </div>
<div> could not pick up email. Thunderbird users (ie; me) were
unaffected. </div>
<div> <br>
</div>
<div> Could anyone share a set of port 993/995 SSL settings
known to work </div>
<div> with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_"
please ? </div>
<div> <br>
</div>
<div> Mine is currently... </div>
<div> <br>
</div>
<div> ssl_ca = </etc/ssl/certs/ca-certificates.crt </div>
<div> ssl_cert = </etc/ssl/example.com/fullchain.pem </div>
<div> ssl_dh = # hidden, use -P to show it </div>
<div> ssl_key = # hidden, use -P to show it </div>
<div> ssl_options = no_compression no_ticket </div>
<div> ssl_prefer_server_ciphers = yes </div>
<div> <br>
</div>
<div> I have commented out ssl_cipher_list, ssl_min_protocol and
others to </div>
<div> get back to whatever the defaults are so I am not simply
guessing what </div>
<div> the optimal settings would be to cover Win7 and up. </div>
<div> <br>
</div>
<div> Yes I know Win7 is no longer supported but that does not
help the 100s </div>
<div> of older users I have that can't/won't upgrade their
computers. </div>
</blockquote>
<div> <br>
</div>
<div> ssl_min_protocol = TLSv1.0 </div>
<div> ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL </div>
<div> <br>
</div>
<div> if this works try tuning cipherlists to more secure value. </div>
<div> <br>
</div>
<div> --- </div>
<div class="io-ox-signature">
<pre>Aki Tuomi</pre>
</div>
</blockquote>
<p><br>
</p>
<p>Since you mention the newest Ubuntu version, it may (most likely)
be necessary to enable TLS 1.0 / 1.1 in openssl as well. I ran
into this with Debian 10 some time ago.<br>
</p>
<p><span style="color: rgb(0, 0, 0); font-family: Arial; font-size:
medium; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">/etc/ssl/openssl.conf</span><br
style="clear: both; color: rgb(0, 0, 0); font-family: Arial;
font-size: medium; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration-style: initial; text-decoration-color: initial;">
<br style="clear: both; color: rgb(0, 0, 0); font-family: Arial;
font-size: medium; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration-style: initial; text-decoration-color: initial;">
<span style="color: rgb(0, 0, 0); font-family: Arial; font-size:
medium; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">[system_default_sect]</span><br
style="clear: both; color: rgb(0, 0, 0); font-family: Arial;
font-size: medium; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration-style: initial; text-decoration-color: initial;">
<span style="color: rgb(0, 0, 0); font-family: Arial; font-size:
medium; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">-MinProtocol = TLSv1.2</span><br
style="clear: both; color: rgb(0, 0, 0); font-family: Arial;
font-size: medium; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; orphans: 2; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
text-decoration-style: initial; text-decoration-color: initial;">
<span style="color: rgb(0, 0, 0); font-family: Arial; font-size:
medium; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">+MinProtocol = TLSv1</span></p>
<p><span style="color: rgb(0, 0, 0); font-family: Arial; font-size:
medium; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">In terms of Dovecot ciphers config,
Windows should be happy with TLS_RSA_WITH_3DES_EDE_CBC_SHA which
is less broken than the other older ciphers.<br>
</span></p>
<p><span style="color: rgb(0, 0, 0); font-family: Arial; font-size:
medium; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;">-- K</span></p>
<p><span style="color: rgb(0, 0, 0); font-family: Arial; font-size:
medium; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;"><br>
</span></p>
</body>
</html>