<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 31/05/2020 07:36 Mark Constable <<a href="mailto:markc@renta.net">markc@renta.net</a>> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
I currently use Ubuntu 20.04 with Dovecot 2.3.7.2 and OpenSSL 1.1.1f.
</div>
<div>
<br>
</div>
<div>
A few months ago there was an update to all these systems and since
</div>
<div>
then I've had to talk W7 and old Mac clients through disabling ports
</div>
<div>
993/995 with TLS enabled back to ports 143/110 without SSL or they
</div>
<div>
could not pick up email. Thunderbird users (ie; me) were unaffected.
</div>
<div>
<br>
</div>
<div>
Could anyone share a set of port 993/995 SSL settings known to work
</div>
<div>
with Windows7 and Outlook16 using "dovecot -n|grep ^ssl_" please ?
</div>
<div>
<br>
</div>
<div>
Mine is currently...
</div>
<div>
<br>
</div>
<div>
ssl_ca = </etc/ssl/certs/ca-certificates.crt
</div>
<div>
ssl_cert = </etc/ssl/example.com/fullchain.pem
</div>
<div>
ssl_dh = # hidden, use -P to show it
</div>
<div>
ssl_key = # hidden, use -P to show it
</div>
<div>
ssl_options = no_compression no_ticket
</div>
<div>
ssl_prefer_server_ciphers = yes
</div>
<div>
<br>
</div>
<div>
I have commented out ssl_cipher_list, ssl_min_protocol and others to
</div>
<div>
get back to whatever the defaults are so I am not simply guessing what
</div>
<div>
the optimal settings would be to cover Win7 and up.
</div>
<div>
<br>
</div>
<div>
Yes I know Win7 is no longer supported but that does not help the 100s
</div>
<div>
of older users I have that can't/won't upgrade their computers.
</div>
</blockquote>
<div>
<br>
</div>
<div>
ssl_min_protocol = TLSv1.0
</div>
<div>
ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL
</div>
<div>
<br>
</div>
<div>
if this works try tuning cipherlists to more secure value.
</div>
<div>
<br>
</div>
<div>
---
</div>
<div class="io-ox-signature">
<pre>Aki Tuomi</pre>
</div>
</body>
</html>