TSR-2018-0001 prevents Apple Mail from sending

rpvw

• January 23, 2018 13:54

The TSR-2018-0001 has changed something that has all my customers that use Apple Mail screaming that they can no longer send mail. I have spent several hours experimenting with various set-ups on an older Mac OS X 10.7.5 with the result that I can create and configure any IMAP or POP account and they work perfectly downloading and displaying the mailbox folders and messages. BUT any attempt to send just stalls, it does not matter what port is used and if SSL is enabled or not - it just wont send anything and, understandably, the customers are somewhat unhappy. The connection doctor software that the Mac supplies reports a successful SMTP connection, but the TLS never gets established and the mail is never sent. Similar tests using Thunderbird on the same old mac laptop seamlessly connected to the server, auto-configured everything and I was able to send and receive on any protocol. I do not particularly want to have to revert to the old SSL/TLS OpenSSL options, nor re-enable the old Cipher Suit, so any alternative ideas would be gratefully received. ****UPDATE**** I am finally getting some connection information: [quote] 2018-01-23 20:29:53 SMTP connection from [xx.xx.xx.xx]:51391 (TCP/IP connection count = 3) 2018-01-23 20:29:53 TLS error on connection from ([192.168.1.104]) [xx.xx.xx.xx]:51391 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-01-23 20:29:53 TLS client disconnected cleanly (rejected our certificate?)
So I tried setting the SSL/TLS OpenSSL options back to the pre TSR ones, and restored the old set of Cipher protocols - but even though Exim rebuilt and started OK, I still cant get Apple Mail to send anything and all I get in the logs are the messages above.

• 

  cPanelNick

  • January 23, 2018 22:27

  Sadly, Mac OSX 10.7 (Lion) has reached end of life and has not been receiving security updates or SSL/TLS cipher for some time. You may be stuck allowing weaker ciphers or older SSL protocols if you cannot upgrade the client system. If the below still doesn't solve the problem, you may need to remove "+no_sslv3" from "Options for OpenSSL" and "!SSLv3" from SSL Protocols to allow SSLv3. For Exim (SMTP): WHM "Service Configuration "Exim Configuration Manager

  • Options for OpenSSL +no_sslv2 +no_sslv3
    
  • SSL/TLS Cipher Suite List ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
    

  For Dovecot (IMAP/POP3) WHM "Service Configuration "Mailserver Configuration

  • SSL Cipher List ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    
  • SSL Minimum Protocol (v70 and later) TLSv1
    
  • SSL Protocols (v68 and earlier) !SSLv2 !SSLv3
    

  0
• 

  rpvw

  • January 23, 2018 23:52

  Thank you kindly Nick, that got my old Mac OS X 10.7.5 test-bed working, and I shall now have to wait until morning to see if the various Mac user clients can send again. I don't know why I couldn't get the protocols and ciphers to work before. Your strings were identical to the ones I tried, but maybe I introduced some white-space or something. I shall update if the clients still cant connect in the morning o_O

  0
• 

  EneTar

  • January 24, 2018 10:54

  Sadly, Mac OSX 10.7 (Lion) has reached end of life and has not been receiving security updates or SSL/TLS cipher for some time. You may be stuck allowing weaker ciphers or older SSL protocols if you cannot upgrade the client system. If the below still doesn't solve the problem, you may need to remove "+no_sslv3" from "Options for OpenSSL" and "!SSLv3" from SSL Protocols to allow SSLv3. For Exim (SMTP): WHM "Service Configuration "Exim Configuration Manager

  • Options for OpenSSL +no_sslv2 +no_sslv3
    
  • SSL/TLS Cipher Suite List ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
    

  For Dovecot (IMAP/POP3) WHM "Service Configuration "Mailserver Configuration

  • SSL Cipher List ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    
  • SSL Minimum Protocol (v70 and later) TLSv1
    
  • SSL Protocols (v68 and earlier) !SSLv2 !SSLv3
    

  
  The "SSL/TLS Cipher Suite List" for EXIM is a little bit different than that in Do you mind describing the difference and which one should we use?

  0
• 

  cPanelMichael

  • January 24, 2018 16:35

  The "SSL/TLS Cipher Suite List" for EXIM is a little bit different than that in I've updated the cipher list referenced on the

  0

Please sign in to leave a comment.