On Sat, Oct 22, 2022 at 11:31 AM Ervin Hegedüs <airw...@gmail.com> wrote:
> Hi there, > > I have a bit old Dovecot instance (Ubuntu 14.04 - there is no > chance to upgrade it), with these versions of packages: > > * Dovecot: 2.2.9 > * OpenSSL: 1.0.1f > > Few days ago a client noticed me, that he can't reach his mails > through his Office 365. He uses POP3S. > > I tried to set up a same client for this Dovecot server, but when > I configured the POP3 protocoll, after the settings check Office > says: > > Your server does not support the connection encryption type you > have specified. Try changing the encryption method. Contact your > mail server ... > > While the client was trying, I see these lines in the log: > > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: > before/accept initialization [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > before/accept initialization [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 read client hello A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 write server hello A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 write certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 write key exchange A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 write server done A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 flush data [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, > ret=-1: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, > ret=-1: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: > where=0x2002: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts > in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: > Disconnected, session=<9sWMB4zr+ADAqAiF> > > Which is weird, because I disabled SSLv3. Here is the (relevant) > config: > > ssl_cert = </etc/dovecot/dovecot.crt > ssl_key = </etc/dovecot/dovecot.key > ssl_dh_parameters_length = 2048 > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > verbose_ssl = yes > > When I check the supported encryption type with nmap, I get this: > > $ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 > Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST > Nmap scan report for 192.168.8.21 > Host is up (0.021s latency). > > PORT STATE SERVICE > 995/tcp open pop3s > | ssl-enum-ciphers: > | TLSv1.0: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ... > | TLSv1.1: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ... > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ,,, > |_ least strength: C > > When I check the traffic with tcpdump, I see that client > uses TLSv1.2: > > https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png > > Only the one client who reported the problem, and my test client > can't reach the server - other (about) 400 users can (but I don't > know with what kind of types of clients - most use Thunderbird). > > > What can I do? How can I fix this problem? As I wrote, this > problem has came few days ago suddenly... > If the client is running Windows 11 and recently updated to 22H2, then you may be interested in the below: https://support.microsoft.com/en-us/topic/october-17-2022-kb5020387-os-build-22000-1100-out-of-band-5e723873-2769-4e3d-8882-5cb044455a92 -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
