[CPANEL-28089] Dovecot TLS configuration reset upon update
Since this morning, I can't RECEIVE emails with Outlook 2010 (POP3 and IMAP accounts). No problem to SEND emails. I get the error 800CCC1A for POP3 accounts using port 995 and SSL connexion. I also get the error 800CCC0E for IMAP accounts using port 993 and SSL connexion.
Otherwise, I am able to receive and send emails with Gmail App on my phone with IMAP accounts using port 993 and TLS/SSL connexion.
My cPanel version is v80.0.18. The SSL certificate seem to be fine. I see some updates in folder /etc/dovecot/ from today but not sure if it's related. Not sure either if I have to update cipher settings.
Someone can help me please? Thanks in advance!
-
Same here. Some outlook versions cannot download mail. I now even have problems with the mail client on a mac. Some ciphers seem to have been removed. The problem goes away when SSL is turned off... although I would prefer weak encryption to no encryption anytime. 0 -
We are seeing quite a few tickets about this very same problem, which started after last night's upcp. More to come, I am sure. - Scott 0 -
Same here Logs show Jun 23 18:31:09 cpanel1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxxx, lip=xxxx, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session= Any details on why? 0 -
I've had several issues with a Mac tonight and spent 3 hours unpaid support time. Various issues- Unable to verify password (internet accounts) Port 993 timed out These are known Mac issues so I never thought it would be caused by Cpanel. However, I remembered that we had to adjust some cipher details due to older Macs which couldn't send. Therefore I checked the mailserver settings in WHM and notice "SSL Minimum Protocol" is set to v1.3 This must have been enforced with Cpanel v80 on Friday/Saturday night but I can't find it anywhere in the change log? Once I changed this back to TLSv1 Mac Mail works again. Now I know we are "supposed" to enforce v1.2 but we can't go falling out with all customers (which are also clients in our case) who have older Macs! I just wish if Cpanel are enforcing it for PCI compliance they would have made us aware (unless I missed it?) as it has incurred me in 3 hours of time when we are very busy, I now get to bed at 4am! 0 -
Same here, so far no problem with Outlook 2016. Only Outlook 2010. - Removed - 0 -
I found that the update changed a Dovecot security setting on our servers. In WHM, under Service Configuration > Mailserver Configuration > SSL Minimum Protocol, cPanel managed to change this setting to the highest security setting, "TLS v1.2" on most of our servers, with a few of them changed to "TLS v1". This breaks email service for many customers that use slightly older email clients and/or operating systems. We've fixed this, for now, by changing the SSL Minimum Protocol back to "SSL v3" and this has solved the problem for our customers. - Scott 0 -
Also seeing reports of this since around 3am this morning. Sounds like it has only affected POP accounts so far ... 0 -
Most probably will work with TLSv1 as well. To find if you have issue like this you can try to use: grep "TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown" /var/log/maillog 0 -
same problem for me. any news? 0 -
I can confirm that we are also experiencing a ton of support requests in the last 48 hours - all related to Email and SSL/TLS and most of them Mac clients - some Android. I don't see anything in the 80 changelog about any changes. Would like a response from cpanel about what's happened here. We would like to have given some notice to our customers! 0 -
Same here. Changed minimum SSL version to v3 and clients can download email again. Not sure if this pauses a security threat, but companies had to receive their emails ... 0 -
Hello, same problem for me. any news?
@sneader provided the resolution to this issue, have you tried it?0 -
yes the solution from member @sneader works for me i want to know from official cpanel if is the best for me the best is to burn old client and use only webmail 8) but customers don't like this ! thanks 0 -
We're seeing the same here with old Outlook clients (2010) and Mail.app on older Mac OS X versions. 0 -
Hello, For some reason Dovecot reset the TLS configuration after the latest update. cPanel has opened an internal case number for this, which is CPANEL-28089. If you made changes to this value before, you'll need to roll them back to what they were before. Version 68 of cPanel introduced new SSL ciphers to increase the security of the mail server; this enables TLS 1.2 and disables older SSL protocols such as TLS 1.0. You can read more on this through the blog post here, TLS Changes in Version 68. TLS Changes in Version 68 | cPanel Blog While cPanel makes every effort to ensure our product is as secure as possible, this does mean older operating systems and mail clients will be affected. Due to Windows 7 being an older system, versions of Outlook (2007 & 2010) on Windows 7 can only offer TLS 1.0 and below. Microsoft did release a patch to resolve this and enable the newer protocols, TLS 1.1 and TLS 1.2. You can read more information on Microsoft's blog here: After that is installed, be sure to reboot your local computer as well to ensure the patch was applied. Once you're back online, please try to connect to the cPanel server again. [Option 2]: (NOT RECOMMENDED) If you must enable TLS 1.0 on the WHM/cPanel server for compatibility, then in WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings: Ensure that "Allow weak SSL/TLS ciphers" is "Off". Change "SSL/TLS Cipher Suite List" to (this is one long line): ==== ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ==== And change "Options for OpenSSL" to: ==== +no_sslv2 +no_sslv3 ==== Then "Save" at the bottom of the page. This will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0. For Dovecot in WHM >> Home >> Service Configuration >> Mailserver Configuration: Change "SSL Cipher List" to (this is one long line): ==== ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ==== Change "SSL Minimum Protocol" to: ==== TLS1 ==== Once that is enabled, or you have fully patched your Windows install, Windows should be able to connect to the server again. 0 -
I have noticed even if the TLS 1.2 update is installed on Windows 7 - Mail clients still refuse to connect to it. Anyone else seen similar? 0 -
[Note: This post was updated on 06-26-2019 with updated information] Hello Everyone, Internal case CPANEL-28089 was opened to investigate reports of Dovecot configuration settings automatically reverting to the default values. This resulted in email client connectivity errors if the Dovecot settings were previously modified to allow for TLS compatibility with legacy email clients. cPanel & WHM version 80.0.20 was published to the CURRENT release tier with a fix to ensure the Dovecot mail server configuration settings are preserved upon future updates: Fixed case CPANEL-28089: Correctly generate ssl_min_protocol based on the value of ssl_protocols, when applicable. The full change log is available on the link below: to see a discussion of specific configuration changes known to help. Additionally, you can use the following WHM API 1 function if you need to make changes to the Dovecot configuration settings via the command line: TLSv1.2: whmapi1 set_service_config_key api.version=1 service=dovecot key=ssl_min_protocol value=TLSv1.2
If "Back up System Files" is selected in WHM >> Backup Configuration and you have a backup available from before the issue started, then you can view an older copy of the Dovecot main file to determine which SSL protocol settings were reset. For example, here are the commands to use for compressed backups if you have system backup files from 06-20-2019:cd /backup/2019-06-20/system/dirs/ tar xvzf /backup/2019-06-20/system/dirs/_var_cpanel.tar.gz grep ssl_ /backup/2019-06-20/system/dirs/var/cpanel/conf/dovecot/main
Here are the commands to use for incremental backups if you have system backup files from 06-20-2019:grep ssl_ /backup/2019-06-20/system/dirs/_var_cpanel/conf/dovecot/main
You can then browse to WHM >> Mailserver Configuration and adjust the current settings to match the previous values. Thank you.0 -
Additionally, can anyone confirm if this issue occurred on a system that is not using CloudLunux?
Yes, we've seen this reset of configuration settings happening on a non-Cloudlinux server as well. Can provide IP via PM or otherwise if needed.0 -
Yes, we've seen this reset of configuration settings happening on a non-Cloudlinux server as well. Can provide IP via PM or otherwise if needed.
Thanks, I've confirmed additional affected systems include both CentOS and CloudLinux. I've removed the question from my previous response and will update this thread with more information shortly. Thanks!0 -
Hello, @cPanelMichael Can you please provide the recommended values to temporarily fix this issue? The temporary workaround is to browse to WHM >> Mailserver Configurationand adjust the settings to your preferred values. 0 -
Fixed right now by doing those stuff with my colleagues: (Yes, this break down some security ...etc), but we have to fix it until cPanel help. Home " Service Configuration " Mailserver Configuration SSL Cipher List: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSL Minimum Protocol: TLSv1.2 Home " Service Configuration " Exim Configuration Manager Options for OpenSSL: +no_sslv2 +no_sslv3 SSL/TLS Cipher Suite List: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS Security : Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. from "On" to "Off" 0 -
Same issue here. Started watching this thread... looking forward to receive cPanel feedback. 0 -
I guess there's no real "fix" to this other than it not happening again and finding a way to recover your old settings if you don't have a backup. What would have been nice is if a backup file had been created of the original configuration file before the update. Does that exist anywhere for recovery? So far, none of the option changes here have fully resolved it for us as we are still getting reports of users not able to pickup mail. 0 -
I would also like to know if the dovecot.conf file is backed up anywhere (part of the cPanel nightly backup?) If not, I wonder if @cPanelMichael might be willing to look into this. I hope it isn't something that would require a feature request. - Scott 0 -
I have this same issue with incoming mail on port 995 only 0 -
I guess my big question at this point that I'm not sure has been answered is, is this JUST configuration changes or has some of the old encryption code been removed and some users simply won't be able to get back on without an update to the software. I have checked with a client's cPanel backup on their VPS and the dovecot.conf does not appear to get backed up. I'm awaiting a senior analyst with Jetbackup's team to hear if we can extract a dovecot.conf from a disaster recovery backup. The fact that we've made adjustments that are noted here and are still having some users not getting logged in is pointing the fact that this is more than just reconfiguring... 0 -
Based on my last fix (I try to help people with something I tested and used on my servers), the problem is solved for users Outlook 2007/2010 (port 110 pop3 without encryption or port 143 imap without encryption and port 587 smpt with automatic encryption). Again, this is a temporary workaround until cPanel team fix this case. Thank you ! 0 -
Based on my last fix (I try to help people with something I tested and used on my servers), the problem is solved for users Outlook 2007/2010 (port 110 pop3 without encryption or port 143 imap without encryption and port 587 smpt with automatic encryption). Again, this is a temporary workaround until cPanel team fix this case. Thank you !
heh... And unfortunately, we converted everyone over to SSL-only mail and don't allow unencrypted connections so we're hurting! I'm about done with email hosting at this point...0 -
Is this the best way to allow older email clients like Outlook 2000 to connect now? Home " Service Configuration " Mailserver Configuration SSL Cipher List: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS SSL Minimum Protocol: SSLv3 Home " Service Configuration " Exim Configuration Manager Options for OpenSSL: +no_sslv2 SSL/TLS Cipher Suite List: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS Security : Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. from "On" to "Off" 0
Please sign in to leave a comment.
Comments
40 comments