dovecot - Aug 2020 - Apple Mail Since upgrade to dovecot 2.3.x unable to connect

Am 17.08.20 um 12:16 schrieb Aki Tuomi:
> You need to set
>
> ssl_min_protocol = TLSv1.2 # or TLSv1
Thanks, tried both, but unsuccessfully. Again, is there any debug
setting that allows me to see what SSL version was requested? Without
this, this is fumbling in the dark.

Cheers,

Johannes



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200817/65f00568/attachment.sig>

>> You need to set
>> 
>> ssl_min_protocol = TLSv1.2 # or TLSv1
> 
> Thanks, tried both, but unsuccessfully. Again, is there any debug
> setting that allows me to see what SSL version was requested? Without
> this, this is fumbling in the dark.
In the german version of Apple Mail go to menu "Fenster" /
"Verbindug pr?fen".

There you can check the connection and log all transactions.

I don't know how detailed this is in older Apple Mail versions, but you
could try.

READ Aug 17 13:05:32.041 [kCFStreamSocketSecurityLevelTLSv1_2] --
host:mail.server.com -- port:587 -- socket:0x600005ff1980 --
thread:0x60000e5cb340
235 2.7.0 Authentication successful


Best regards
Gerald

Am 17.08.20 um 13:10 schrieb Gerald Galster:
>>> You need to set
>>>
>>> ssl_min_protocol = TLSv1.2 # or TLSv1
>> Thanks, tried both, but unsuccessfully. Again, is there any debug
>> setting that allows me to see what SSL version was requested? Without
>> this, this is fumbling in the dark.
> In the german version of Apple Mail go to menu "Fenster" /
"Verbindug pr?fen".
>
> There you can check the connection and log all transactions.
>
> I don't know how detailed this is in older Apple Mail versions, but you
could try.
>
> READ Aug 17 13:05:32.041 [kCFStreamSocketSecurityLevelTLSv1_2] --
host:mail.server.com -- port:587 -- socket:0x600005ff1980 --
thread:0x60000e5cb340
> 235 2.7.0 Authentication successful
Thanks Gerald, I'll try that. Strange though that the info isn't in the
dovecot debug log.

Cheers,

Johannes

>
>
> Best regards
> Gerald


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200817/21a3a308/attachment.sig>

On 17 Aug 2020, at 05:10, Gerald Galster <list+dovecot at gcore.biz>
wrote:
> I don't know how detailed this is in older Apple Mail versions
I don't think the detail has changed in many many years, if at all. I
remember using the logs to troubleshoot security issues 15 years ago.

Mac OS 10.11 El Capitan was released in 2015, not 2016, but I don't think
that makes any difference. El Capitan uses outdate versions of openssl (0.9.9).
Sierra (10.12) and High Sierra (10.13) have an updated stack and work fine with
TLSv1.2.

Because the issue is the unix level tools, this is not generally something you
can work around with a third-arty client unless you find one with its own stack.
Webmail would be the solution if someone refuses or is unable to update.

Any machine that is less than about 10-12 years old can update to 10.13 at no
cost though.



-- 
I said pretend you've got no money, she just laughed and said, 'Eh
	you're so funny.' I said, 'Yeah? Well I can't see anyone else
	smiling in here.'

On Mon, 17 Aug 2020, Johannes Rohr wrote:
>> You need to set
>>
>> ssl_min_protocol = TLSv1.2 # or TLSv1
>
> Thanks, tried both, but unsuccessfully.
Don't give up too easily/early on this.

I said this before, but MacOSX Mail behaves weirdly.  I've more than
once changed a server setting, without apparent effect, only to have
MacOSX Mail mysteriously start working again after some time.  Maybe it
caches settings.  Also, disable "Automatic manage connection" as
failure
to establish a successful session will cause your client to do some
auto-wandering to discover settings, which could really do your head in.

Joseph Tam <jtam.home at gmail.com>