<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Oct 22, 2022 at 11:31 AM Ervin Hegedüs <<a href="mailto:airween@gmail.com">airween@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi there,<br>
<br>
I have a bit old Dovecot instance (Ubuntu 14.04 - there is no<br>
chance to upgrade it), with these versions of packages:<br>
<br>
* Dovecot: 2.2.9<br>
* OpenSSL: 1.0.1f<br>
<br>
Few days ago a client noticed me, that he can't reach his mails<br>
through his Office 365. He uses POP3S.<br>
<br>
I tried to set up a same client for this Dovecot server, but when<br>
I configured the POP3 protocoll, after the settings check Office<br>
says:<br>
<br>
Your server does not support the connection encryption type you<br>
have specified. Try changing the encryption method. Contact your<br>
mail server ...<br>
<br>
While the client was trying, I see these lines in the log:<br>
<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133]<br>
Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF><br>
<br>
Which is weird, because I disabled SSLv3. Here is the (relevant)<br>
config:<br>
<br>
ssl_cert = </etc/dovecot/dovecot.crt<br>
ssl_key = </etc/dovecot/dovecot.key<br>
ssl_dh_parameters_length = 2048<br>
ssl_protocols = !SSLv2 !SSLv3<br>
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA<br>
verbose_ssl = yes<br>
<br>
When I check the supported encryption type with nmap, I get this:<br>
<br>
$ nmap --script ssl-enum-ciphers -p 995 192.168.8.21<br>
Starting Nmap 7.80 ( <a href="https://nmap.org" rel="noreferrer" target="_blank">https://nmap.org</a> ) at 2022-10-22 10:20 CEST<br>
Nmap scan report for 192.168.8.21<br>
Host is up (0.021s latency).<br>
<br>
PORT STATE SERVICE<br>
995/tcp open pop3s<br>
| ssl-enum-ciphers: <br>
| TLSv1.0: <br>
| ciphers: <br>
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<br>
| ...<br>
| TLSv1.1: <br>
| ciphers: <br>
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<br>
| ...<br>
| TLSv1.2: <br>
| ciphers: <br>
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A<br>
| ,,,<br>
|_ least strength: C<br>
<br>
When I check the traffic with tcpdump, I see that client<br>
uses TLSv1.2:<br>
<br>
<a href="https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png" rel="noreferrer" target="_blank">https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png</a><br>
<br>
Only the one client who reported the problem, and my test client<br>
can't reach the server - other (about) 400 users can (but I don't<br>
know with what kind of types of clients - most use Thunderbird).<br>
<br>
<br>
What can I do? How can I fix this problem? As I wrote, this<br>
problem has came few days ago suddenly...<br></blockquote><div></div></div><div><br></div>If the client is running Windows 11 and recently updated to 22H2, then you may be interested in the below:<div><br></div><div><a href="https://support.microsoft.com/en-us/topic/october-17-2022-kb5020387-os-build-22000-1100-out-of-band-5e723873-2769-4e3d-8882-5cb044455a92">https://support.microsoft.com/en-us/topic/october-17-2022-kb5020387-os-build-22000-1100-out-of-band-5e723873-2769-4e3d-8882-5cb044455a92</a><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">", </span><span style="font-size:12.8px">egrep -v '^$|^.*#' </span><span style="background-color:rgb(34,34,34);color:rgb(238,238,238);font-family:"Lucida Console",Consolas,"Courier New",monospace;font-size:13.6px">¯\_(ツ)_/¯</span><span style="font-size:12.8px"> :-)</span></div></div></div></div></div></div>