Hi Folks, after adding TLSv1.2 to by TLS options a lot of Outlook users complaint about connection errors, openssl s_client and Thunderbird works fine. I found some posts about this but none of them had a real solution on this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 ssl_cert = </var/qmail/control/servercert.pem ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH ssl_dh_parameters_length = 2048 ssl_key = </var/qmail/control/servercert.pem ssl_protocols = !SSLv2 !TLSv1.2 The certificate is from Comodo using sha256. Any idea? Oliver -- Protect your environment - close windows and adopt a penguin! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4074 bytes Desc: S/MIME Cryptographic Signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150116/5f39f96b/attachment.p7s>
Am 16.01.2015 um 12:24 schrieb Oliver Welter:> Hi Folks, > > after adding TLSv1.2 to by TLS options a lot of Outlook users complaint > about connection errors, openssl s_client and Thunderbird works fine. > > I found some posts about this but none of them had a real solution on > this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. > > I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 > > ssl_cert = </var/qmail/control/servercert.pem > ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH > ssl_dh_parameters_length = 2048 > ssl_key = </var/qmail/control/servercert.pem > ssl_protocols = !SSLv2 !TLSv1.2 > > The certificate is from Comodo using sha256. > > Any idea? > > Oliver >there is no "Outlook", please do a exact debug what Outlook and Windows Version, disable TLSv1.2 is a bad idea, my bet goes on your ssl_cipher_list, try this # SSL ciphers to use ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL or search list archive and www for other better solutions and general dovecot ssl configs Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On Sun, 18 Jan 2015 09:45:16 +0100, Robert Schetterer stated:>Am 16.01.2015 um 12:24 schrieb Oliver Welter: >> Hi Folks, >> >> after adding TLSv1.2 to by TLS options a lot of Outlook users complaint >> about connection errors, openssl s_client and Thunderbird works fine. >> >> I found some posts about this but none of them had a real solution on >> this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. >> >> I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 >> >> ssl_cert = </var/qmail/control/servercert.pem >> ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH >> ssl_dh_parameters_length = 2048 >> ssl_key = </var/qmail/control/servercert.pem >> ssl_protocols = !SSLv2 !TLSv1.2 >> >> The certificate is from Comodo using sha256. >> >> Any idea? >> >> Oliver >> >there is no "Outlook", please do a exact debug what Outlook and Windows >Version, disable TLSv1.2 is a bad idea, my bet goes on your >ssl_cipher_list, try this > ># SSL ciphers to use >ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > >or search list archive and www for other better solutions and general >dovecot ssl configsI have: ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL and Outlook 2013 works fine. -- Jerry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150118/059b81bf/attachment.sig>
Am 16.01.2015 um 12:24 schrieb Oliver Welter:> after adding TLSv1.2 to by TLS optionshow did you do that? there is no need to add it as long you did not break your configuration intentional the time before> a lot of Outlook users complaint about connection errors, > openssl s_client and Thunderbird works fine.no> I found some posts about this but none of them had a real solution on > this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. > > I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 > > ssl_cert = </var/qmail/control/servercert.pem > ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH!MEDIUM likely is the reason> ssl_dh_parameters_length = 2048 > ssl_key = </var/qmail/control/servercert.pem > ssl_protocols = !SSLv2 !TLSv1.2 > > The certificate is from Comodo using sha256the confiig below works with every known Outlook version down to Outlook 2003 on Windows XP in combination with a RSA4096/SHA256 key as well as with all other reasonable mail clients ssl_protocols = !SSLv2 !SSLv3 ssl_prefer_server_ciphers = yes ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150118/4cf15b0c/attachment.sig>
On 1/18/2015 12:45 AM, Robert Schetterer wrote:> Am 16.01.2015 um 12:24 schrieb Oliver Welter: >> Hi Folks, >> >> after adding TLSv1.2 to by TLS options a lot of Outlook users complaint >> about connection errors, openssl s_client and Thunderbird works fine. >> >> I found some posts about this but none of them had a real solution on >> this - I meanwhile disabled TLSv1.2 which made the Outlook users happy. >> >> I run dovecot 2.2.13, OpenSSL 1.0.1j 15 Oct 2014 >> >> ssl_cert = </var/qmail/control/servercert.pem >> ssl_cipher_list = ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:+RC4:@STRENGTH >> ssl_dh_parameters_length = 2048 >> ssl_key = </var/qmail/control/servercert.pem >> ssl_protocols = !SSLv2 !TLSv1.2 >> >> The certificate is from Comodo using sha256. >> >> Any idea? >> >> Oliver >> > > there is no "Outlook", please do a exact debug what Outlook and Windows > Version, disable TLSv1.2 is a bad idea, my bet goes on your > ssl_cipher_list, try this > > # SSL ciphers to use > ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL > > > or search list archive and www for other better solutions and general > dovecot ssl configsI have this in production: ssl_cipher_list HIGH+kEECDH:HIGH+kEDH:!aNULL:-3DES:+AES256:+SHA:AES128-SHA:DES-CBC3-SHA ssl_protocols = !SSLv2 !SSLv3 TLSv1 TLSv1.1 TLSv1.2 - AES128-SHA & TLSv1 for some Android v4.3 and earlier - DES-CBC3-SHA & TLSv1 for Outlook 2003 on Windows XP - TLSv1 for Thunderbird prior to v27 - TLSv1 for Outlook on Windows Vista/2008 - TLSv1 for Outlook on Windows 7 or 8 without IE 11 installed Everything else supports at least DHE-AES on TLSv1.1 or 1.2. The cipherspec provides AES128, AES256 and Camellia; with AES128 and Camellia preferred over AES256, and SHA2 preferred over SHA1.