Hi there, I have a bit old Dovecot instance (Ubuntu 14.04 - there is no chance to upgrade it), with these versions of packages: * Dovecot: 2.2.9 * OpenSSL: 1.0.1f Few days ago a client noticed me, that he can't reach his mails through his Office 365. He uses POP3S. I tried to set up a same client for this Dovecot server, but when I configured the POP3 protocoll, after the settings check Office says: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server ... While the client was trying, I see these lines in the log: Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF> Which is weird, because I disabled SSLv3. Here is the (relevant) config: ssl_cert = </etc/dovecot/dovecot.crt ssl_key = </etc/dovecot/dovecot.key ssl_dh_parameters_length = 2048 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA verbose_ssl = yes When I check the supported encryption type with nmap, I get this: $ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST Nmap scan report for 192.168.8.21 Host is up (0.021s latency). PORT STATE SERVICE 995/tcp open pop3s | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ... | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A | ,,, |_ least strength: C When I check the traffic with tcpdump, I see that client uses TLSv1.2: https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png Only the one client who reported the problem, and my test client can't reach the server - other (about) 400 users can (but I don't know with what kind of types of clients - most use Thunderbird). What can I do? How can I fix this problem? As I wrote, this problem has came few days ago suddenly... Thanks, a.
On Sat, Oct 22, 2022 at 11:31 AM Ervin Heged?s <airween at gmail.com> wrote:> Hi there, > > I have a bit old Dovecot instance (Ubuntu 14.04 - there is no > chance to upgrade it), with these versions of packages: > > * Dovecot: 2.2.9 > * OpenSSL: 1.0.1f > > Few days ago a client noticed me, that he can't reach his mails > through his Office 365. He uses POP3S. > > I tried to set up a same client for this Dovecot server, but when > I configured the POP3 protocoll, after the settings check Office > says: > > Your server does not support the connection encryption type you > have specified. Try changing the encryption method. Contact your > mail server ... > > While the client was trying, I see these lines in the log: > > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: > before/accept initialization [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > before/accept initialization [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 read client hello A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 write server hello A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 write certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 write key exchange A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 write server done A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: > SSLv3 flush data [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, > ret=-1: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, > ret=-1: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: > where=0x2002: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts > in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: > Disconnected, session=<9sWMB4zr+ADAqAiF> > > Which is weird, because I disabled SSLv3. Here is the (relevant) > config: > > ssl_cert = </etc/dovecot/dovecot.crt > ssl_key = </etc/dovecot/dovecot.key > ssl_dh_parameters_length = 2048 > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > verbose_ssl = yes > > When I check the supported encryption type with nmap, I get this: > > $ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 > Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST > Nmap scan report for 192.168.8.21 > Host is up (0.021s latency). > > PORT STATE SERVICE > 995/tcp open pop3s > | ssl-enum-ciphers: > | TLSv1.0: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ... > | TLSv1.1: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ... > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ,,, > |_ least strength: C > > When I check the traffic with tcpdump, I see that client > uses TLSv1.2: > > https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png > > Only the one client who reported the problem, and my test client > can't reach the server - other (about) 400 users can (but I don't > know with what kind of types of clients - most use Thunderbird). > > > What can I do? How can I fix this problem? As I wrote, this > problem has came few days ago suddenly... >If the client is running Windows 11 and recently updated to 22H2, then you may be interested in the below: https://support.microsoft.com/en-us/topic/october-17-2022-kb5020387-os-build-22000-1100-out-of-band-5e723873-2769-4e3d-8882-5cb044455a92 -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ?\_(?)_/? :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20221022/6271c4ed/attachment-0001.htm>
We had the same problem starting around October 14th -? 'unsupported encryption type' - we were running Dovecot 2.2.32. It was resolved by upgrading Dovecot, in our case, to v2.3.7 Jeff On 10/22/2022 4:30 AM, Ervin Heged?s wrote:> Hi there, > > I have a bit old Dovecot instance (Ubuntu 14.04 - there is no > chance to upgrade it), with these versions of packages: > > * Dovecot: 2.2.9 > * OpenSSL: 1.0.1f > > Few days ago a client noticed me, that he can't reach his mails > through his Office 365. He uses POP3S. > > I tried to set up a same client for this Dovecot server, but when > I configured the POP3 protocoll, after the settings check Office > says: > > Your server does not support the connection encryption type you > have specified. Try changing the encryption method. Contact your > mail server ... > > While the client was trying, I see these lines in the log: > > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF> > > Which is weird, because I disabled SSLv3. Here is the (relevant) > config: > > ssl_cert = </etc/dovecot/dovecot.crt > ssl_key = </etc/dovecot/dovecot.key > ssl_dh_parameters_length = 2048 > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > verbose_ssl = yes > > When I check the supported encryption type with nmap, I get this: > > $ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 > Starting Nmap 7.80 (https://nmap.org ) at 2022-10-22 10:20 CEST > Nmap scan report for 192.168.8.21 > Host is up (0.021s latency). > > PORT STATE SERVICE > 995/tcp open pop3s > | ssl-enum-ciphers: > | TLSv1.0: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ... > | TLSv1.1: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ... > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ,,, > |_ least strength: C > > When I check the traffic with tcpdump, I see that client > uses TLSv1.2: > > https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png > > Only the one client who reported the problem, and my test client > can't reach the server - other (about) 400 users can (but I don't > know with what kind of types of clients - most use Thunderbird). > > > What can I do? How can I fix this problem? As I wrote, this > problem has came few days ago suddenly... > > > Thanks, > > > a. > > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20221022/3926966f/attachment.htm>
On 2022-10-22 09:30, Ervin Heged?s wrote:> Hi there, > > I have a bit old Dovecot instance (Ubuntu 14.04 - there is no > chance to upgrade it), with these versions of packages: > > * Dovecot: 2.2.9 > * OpenSSL: 1.0.1f > > Few days ago a client noticed me, that he can't reach his mails > through his Office 365. He uses POP3S. > > I tried to set up a same client for this Dovecot server, but when > I configured the POP3 protocoll, after the settings check Office > says: > > Your server does not support the connection encryption type you > have specified. Try changing the encryption method. Contact your > mail server ... > > While the client was trying, I see these lines in the log: > > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x10, > ret=1: before/accept initialization [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, > ret=1: before/accept initialization [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, > ret=1: SSLv3 read client hello A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, > ret=1: SSLv3 write server hello A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, > ret=1: SSLv3 write certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, > ret=1: SSLv3 write key exchange A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, > ret=1: SSLv3 write server done A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2001, > ret=1: SSLv3 flush data [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, > ret=-1: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Debug: SSL: where=0x2002, > ret=-1: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Warning: SSL failed: > where=0x2002: SSLv3 read client certificate A [192.168.8.133] > Oct 21 16:12:18 mail dovecot: pop3-login: Disconnected (no auth > attempts in 0 secs): user=<>, rip=192.168.8.133, lip=192.168.8.21, TLS > handshaking: Disconnected, session=<9sWMB4zr+ADAqAiF> > > Which is weird, because I disabled SSLv3. Here is the (relevant) > config: > > ssl_cert = </etc/dovecot/dovecot.crt > ssl_key = </etc/dovecot/dovecot.key > ssl_dh_parameters_length = 2048 > ssl_protocols = !SSLv2 !SSLv3 > ssl_cipher_list = > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > verbose_ssl = yes > > When I check the supported encryption type with nmap, I get this: > > $ nmap --script ssl-enum-ciphers -p 995 192.168.8.21 > Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-22 10:20 CEST > Nmap scan report for 192.168.8.21 > Host is up (0.021s latency). > > PORT STATE SERVICE > 995/tcp open pop3s > | ssl-enum-ciphers: > | TLSv1.0: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ... > | TLSv1.1: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ... > | TLSv1.2: > | ciphers: > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A > | ,,, > |_ least strength: C > > When I check the traffic with tcpdump, I see that client > uses TLSv1.2: > > https://www.dropbox.com/s/k8wqzg5xzki5p23/pop3_traffic.png > > Only the one client who reported the problem, and my test client > can't reach the server - other (about) 400 users can (but I don't > know with what kind of types of clients - most use Thunderbird). > > > What can I do? How can I fix this problem? As I wrote, this > problem has came few days ago suddenly... > > > Thanks, > > > a.Hi, You might want to check incoming releases changelog https://doc.dovecot.org/3.0/installation_guide/upgrading/from-2.3-to-3.0/ Notice the point " OpenSSL support for older than 1.0.2: Older versions are not supported anymore. " I think you should be able to upgrade in the same instance both openssl and dovecot if you compile it manually. Also, you can install additional openssl, and load its module e.g. as libssl.so and move older libssl.so.1.0.1 so to be the default. Make sure to install anything above 1.0.1. Good luck. Zakaria.