Re: Office 365 SSL issue

Sat, 22 Oct 2022 06:22:16 -0700 

On 2022-10-22 09:30, Ervin Hegedüs wrote:

Hi there,

I have a bit old Dovecot instance (Ubuntu 14.04 - there is no
chance to upgrade it), with these versions of packages:

* Dovecot: 2.2.9
* OpenSSL: 1.0.1f

Few days ago a client noticed me, that he can't reach his mails
through his Office 365. He uses POP3S.

I tried to set up a same client for this Dovecot server, but when
I configured the POP3 protocoll, after the settings check Office
says:

Your server does not support the connection encryption type you
have specified. Try changing the encryption method. Contact your
mail server ...

While the client was trying, I see these lines in the log:
Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF> 

Which is weird, because I disabled SSLv3. Here is the (relevant)
config:

ssl_cert = </etc/dovecot/dovecot.crt
ssl_key = </etc/dovecot/dovecot.key
ssl_dh_parameters_length = 2048
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA 
verbose_ssl = yes

When I check the supported encryption type with nmap, I get this:

$ nmap --script ssl-enum-ciphers -p 995 192.168.8.21
Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST
Nmap scan report for 192.168.8.21
Host is up (0.021s latency).

PORT    STATE SERVICE
995/tcp open  pop3s
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   ...
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   ...
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   ,,,
|_  least strength: C

When I check the traffic with tcpdump, I see that client
uses TLSv1.2:

https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png

Only the one client who reported the problem, and my test client
can't reach the server - other (about) 400 users can (but I don't
know with what kind of types of clients - most use Thunderbird).


What can I do? How can I fix this problem? As I wrote, this
problem has came few days ago suddenly...


Thanks,


a.


Hi,

You might want to check incoming releases changelog
https://doc.dovecot.org/3.0/installation_guide/upgrading/from-2.3-to-3.0/
Notice the point " OpenSSL support for older than 1.0.2: Older versions are not supported anymore. "
I think you should be able to upgrade in the same instance both openssl and dovecot if you compile it manually. Also, you can install additional openssl, and load its module e.g. as libssl.so and move older libssl.so.1.0.1 so to be the default. Make sure to install anything above 1.0.1. 

Good luck.

Zakaria.

Reply via email to