Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


SOLVED Cannot send email from Outlook 2007 with 5.2.4 -- Connection error SSL routines TLS



  • Hi

    Since update 5.2.4, we are experience problems to sent mail from Outlook 2007 (running on win7)

    Outlook Error message: 0x800CCC80 – None of the authentication methods supported by this client are supported by your server

    Log error on email server says:

    client [187.188.xxx.xxx] connection error: Error: 140072188094336:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported
    

    Not sure if it's related, but we had similar problem past march and fixed in this way:
    https://forum.cloudron.io/topic/2221/cloudron-5-released/13

    I've returned the setting to TRUE but the problem persists.

    Complete log:

    Jun 01 17:47:44 [INFO] [8B8B81F3-5B6B-48A1-ABE1-DEC2ADED8DA1] [spf] identity=helo ip=187.188.xxx.xxx domain="PROYECTOS01" mfrom=<postmaster@PROYECTOS01> result=None
    Jun 01 17:47:44 [INFO] [8B8B81F3-5B6B-48A1-ABE1-DEC2ADED8DA1] [spf] scope: helo, result: None, domain: PROYECTOS01
    Jun 01 17:47:44 [INFO] [8B8B81F3-5B6B-48A1-ABE1-DEC2ADED8DA1] [core] client [187.188.xxx.xxx] connection error: Error: 140072188094336:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:
    Jun 01 17:47:44 [NOTICE] [8B8B81F3-5B6B-48A1-ABE1-DEC2ADED8DA1] [core] disconnect ip=187.188.xxx.xxx rdns=fixed-187-188-143-228.totalplay.net helo=PROYECTOS01 relay=N early=N esmtp=Y tls=N pipe=N errors=0 txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="" time=0.184
    Jun 01 17:47:45 [NOTICE] [BC430C61-CB61-44B6-A2C6-EBB2F79CDBA4] [core] connect ip=187.188.xxx.xxx port=54382 local_ip=:: local_port=2525
    Jun 01 17:47:45 [INFO] [BC430C61-CB61-44B6-A2C6-EBB2F79CDBA4] [helo.checks] helo_host: PROYECTOS01, pass:bare_ip, host_mismatch, fail:valid_hostname(no_dot), rdns_match, skip:dynamic(no dots)
    

    Thanks for your help


  • Staff



  • Thanks @girish

    Just for the record, besides to install the KB and set the DefaultSecureProtocols registry entries, I also need to add the following keys:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    “DisabledByDefault”=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    “DisabledByDefault”=dword:00000000
    

  • Staff

    @rfg Thanks for the update!


  • App Dev

    @rfg You should upgrade to Windows 10 (It's free for crying out loud 😉 ) and Office 365. I have no issues using the latest.

    Also, can you please amend your title to say "Outlook 2007" so users using the latest Outlook program do not get confused and follow the wrong directions to fix an issue?

    If you would like, I can help you find an upgrade path to Win10 + O365 as well. Let me know!



  • @girish This has come to bite me too now for one of my clients, after we got past the blacklisted IP on Spamhaus, we determined that the second issue is that they are on an old version of macOS and it seems to not support TLSv1.1 nor TLSv1.2.

    Logs:

    Jun 10 21:31:33 [INFO] [096611F0-ACB5-4CC0-8D6C-42395E10661B] [access] whitelist: true, pass:connect.rdns_access.whitelist
    Jun 10 21:31:34 [INFO] [096611F0-ACB5-4CC0-8D6C-42395E10661B] [helo.checks] helo_host: [10.0.0.183], pass:bare_ip, host_mismatch, fail:rdns_match(literal), skip:dynamic(literal), valid_hostname(literal)
    Jun 10 21:31:35 [INFO] [096611F0-ACB5-4CC0-8D6C-42395E10661B] [core] client [<ClientIPaddress>] connection error: Error: 140689161090944:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:
    Jun 10 21:31:35 [NOTICE] [096611F0-ACB5-4CC0-8D6C-42395E10661B] [core] disconnect ip=<ClientIPaddress> rdns=<ISPhostname> helo=[10.0.0.183] relay=N early=N esmtp=Y tls=N pipe=N errors=0 txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="" time=1.967
    

    While I can recommend they upgrade (and I will be recommending it for sure, I didn't realize they were so behind in macOS versions), it's also kind of hard to dictate what OS my clients run (at least at this stage since I didn't exactly have that in any contracts before). Is there a way I can temporarily enable TLSv1.0 support for them until they are done upgrading?


  • Staff

    @d19dotca Maybe you can try something like this:

    1. docker exec -ti mail /bin/bash
    2. Edit /run/haraka/config/tls.ini
    3. Add the secureProtocol line like below (be careful not to add it to the end since it has to be outside any section):
    ; default tls version and ciphers come from node (better to upgade node than set them here)
    
    secureProtocol = TLSv1_method
    
    [no_tls_hosts]
    172.18.0.0/16
    127.0.0.1
    
    1. supervisorctl restart haraka

    Does it work after that?

    Unfortunately, the above changes are not persisted. So, you have to make the changes on server restart and sometimes on cloudron update (if we updated the mail container).


  • Staff