Symptoms
In Version 68 of cPanel, we introduced new SSL ciphers to increase the security of the mail server; this enables TLS 1.2 and disables older SSL protocols, such as TLS 1.0. You can read more about this in our blog post here: TLS Changes in Version 68
While cPanel makes every effort to ensure our product is as secure as possible, this does mean older operating systems and mail clients will be affected.
Description
This issue commonly occurs when using Windows 7, Outlook 2007 & 2010, or any older mail client that does not support the newer TLS versions. For example, For Microsoft Windows 7, Microsoft released a patch to enable the newer protocols, TLS 1.1 and TLS 1.2. You can read more information on our blog here: Enabling TLS 1.1 and 1.2 in Windows 7
Please keep in mind this is not a defect or an issue with cPanel, but an incompatibility with the outdated client software. Updating the client software to support TLS 1.2 will help maintain overall security.
Workaround
There are two options to help resolve the issues you are currently facing. Please note that Option 1 is the recommended solution.
Option 1: (RECOMMENDED)
To enable TLS 1.2 for Windows 7, you will need to patch your system to modify the registry. Be sure your system is fully updated through the update center, then download and install the patch from Microsoft's website here: Enable TLS 1.1 and 1.2 as the default secure protocols.
After the patch is installed, be sure to reboot your local computer to ensure the patch was applied. Once your system is back online, please try to connect to the cPanel server again.
Option 2: (NOT RECOMMENDED)
If you must enable TLS 1.0 on the WHM/cPanel server for compatibility, do the following in WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings:
- Ensure that "Allow weak SSL/TLS ciphers" is "On".
- Change "SSL/TLS Cipher Suite List" to (this is one long line):
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- Change "Options for OpenSSL" to the following:
+no_sslv2 +no_sslv3
- Click "Save" at the bottom of the page.
These changes will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0.
To make these changes for Dovecot, go to WHM >> Home >> Service Configuration >> Mailserver Configuration, and do the following:
- Change "SSL Cipher List" to this (in one long line):
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- Change "SSL Minimum Protocol" to this:
TLS1
Once you have made these changes to the server, or you have fully patched your Windows system, Windows should be able to connect to the server again.