[CPANEL-28089] Dovecot TLS configuration reset upon update
Since this morning, I can't RECEIVE emails with Outlook 2010 (POP3 and IMAP accounts). No problem to SEND emails. I get the error 800CCC1A for POP3 accounts using port 995 and SSL connexion. I also get the error 800CCC0E for IMAP accounts using port 993 and SSL connexion.
Otherwise, I am able to receive and send emails with Gmail App on my phone with IMAP accounts using port 993 and TLS/SSL connexion.
My cPanel version is v80.0.18. The SSL certificate seem to be fine. I see some updates in folder /etc/dovecot/ from today but not sure if it's related. Not sure either if I have to update cipher settings.
Someone can help me please? Thanks in advance!
-
We've fixed this, for now, by changing the SSL Minimum Protocol back to "SSL v3" and this has solved the problem for our customers. - Scott
Great! thanks for the heads up.0 -
Is there any update on this issue? The workarounds are less than acceptable from a security standpoint. Wading through backups to find the previous settings could be an exercise in futility as the next system update may reset everything again. 0 -
Wondering about information as well (subscribing to this thread). Obviously the only solution is to make sure clients use at least TLS 1.2 but that is sometimes not possible and leaves action to the clients who do not understand why this suddenly happens to them. While i agree they should switch to TLS 1.2 they should have been given a heads up in a proper way not by just pulling the plug which cPanel seems to have done here. 0 -
Subscribing - same issues here. 0 -
Great! thanks for the heads up.
SSLv3 is a very bad choice. Better use TLSv1 when you really need it.0 -
I rolled back my settings to TLSv1 and that does the trick for Outlook '11. And yes - SSLv3 -- you don't want to do that at any cost. It's likely better to have people complaining about their email. 0 -
I see update 80.0.20 is addressing this case: Fixed case CPANEL-28089: Correctly generate ssl_min_protocol based on the value of ssl_protocols, when applicable. What exactly will that do? 0 -
I wanted to share some information for others who might still be coming across this issue - I upgraded servers this past week and sure enough I have one account with one person still on Windows 7.No matter what I tried yesterday nothing could get SMTP working on TLS for her, and I of course did not want to revert security on the new server for one individual on an outdated desktop. I came across an excellent VISUAL step-by-step tutorial for editing the registry to add TLS support to Windows 7 and it worked PERFECTLY and was about a 3 minute task on that desktop. Huge THANKS to Accu Web Hosting for the excellent knowledge base article: manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-12-on-Windows-7.html 0 -
Hello :) Here's a quote of my response at for anyone seeking more information about TLS 1.2 support in email applications: Hello Everyone, I put together the following overview of this topic for anyone seeing this thread for the first time: Reported Issue Attempting to send or receive emails using email applications or operating systems which lack support for Transport Layer Security (TLS) Version 1.2 can result in error messages such as the one below: error (0x800CCC1A) : 'Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.' Do you know of any additional error messages that should appear above? Reply to this thread to let us know! Thanks! Technical Summary Exim and Dovecot utilize OpenSSL as a means of providing secure connections between email applications and your server. Here's a quote from our documentation describing OpenSSL's two primary settings: TLS version 1.2 is enabled as the default protocol for cPanel & WHM services (e.g. Exim, Dovecot). Thus, if an email application or operating system does not support the use of TLS version 1.2, then attempts to send or receive email will fail with errors like the one included above. Recommended Solution Modifying the default cipher and protocol settings for Exim and Dovecot in order to permit less secure connections between legacy email applications and your cPanel & WHM server is not recommended. While such actions are effective at quickly restoring the ability for legacy email applications to send and receive email, it comes at the expense of operating a less secure server. The recommended approach is to communicate this security knowledge to the person using the legacy email application and/or legacy operating system. Encourage updates to, and adoption of, email applications and operating systems that support modern cipher and protocol requirements. Or, in the case of users experiencing this issue on Windows 7, it's possible to enable TLS 1.2 using the instructions in the document linked below: What about TLS version 1.3? You can track the status of TLS 1.3 support on the following feature request:
0
Please sign in to leave a comment.
Comments
40 comments