Cannot send email from Outlook 2007 with 5.2.4 -- Connection error SSL routines TLS

rfg

Hi

Since update 5.2.4, we are experience problems to sent mail from Outlook 2007 (running on win7)

Outlook Error message: 0x800CCC80 – None of the authentication methods supported by this client are supported by your server

Log error on email server says:

client [187.188.xxx.xxx] connection error: Error: 140072188094336:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported

Not sure if it's related, but we had similar problem past march and fixed in this way:
https://forum.cloudron.io/topic/2221/cloudron-5-released/13

I've returned the setting to TRUE but the problem persists.

Complete log:

Jun 01 17:47:44 [INFO] [8B8B81F3-5B6B-48A1-ABE1-DEC2ADED8DA1] [spf] identity=helo ip=187.188.xxx.xxx domain="PROYECTOS01" mfrom=<postmaster@PROYECTOS01> result=None
Jun 01 17:47:44 [INFO] [8B8B81F3-5B6B-48A1-ABE1-DEC2ADED8DA1] [spf] scope: helo, result: None, domain: PROYECTOS01
Jun 01 17:47:44 [INFO] [8B8B81F3-5B6B-48A1-ABE1-DEC2ADED8DA1] [core] client [187.188.xxx.xxx] connection error: Error: 140072188094336:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:
Jun 01 17:47:44 [NOTICE] [8B8B81F3-5B6B-48A1-ABE1-DEC2ADED8DA1] [core] disconnect ip=187.188.xxx.xxx rdns=fixed-187-188-143-228.totalplay.net helo=PROYECTOS01 relay=N early=N esmtp=Y tls=N pipe=N errors=0 txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="" time=0.184
Jun 01 17:47:45 [NOTICE] [BC430C61-CB61-44B6-A2C6-EBB2F79CDBA4] [core] connect ip=187.188.xxx.xxx port=54382 local_ip=:: local_port=2525
Jun 01 17:47:45 [INFO] [BC430C61-CB61-44B6-A2C6-EBB2F79CDBA4] [helo.checks] helo_host: PROYECTOS01, pass:bare_ip, host_mismatch, fail:valid_hostname(no_dot), rdns_match, skip:dynamic(no dots)

Thanks for your help

girish

I think the issue is that we removed TLS 1.0 support. Can you enable TLS 1.2 support in Outlook using one of the following articles:

• https://www.siteground.com/kb/how-to-enable-tls-1-1-and-1-2-in-outlook-on-windows-7/
• https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi
• https://www.greengeeks.com/tutorials/article/how-to-enable-tls-1-1-and-1-2-in-outlook-windows-7/

rfg

Thanks @girish

Just for the record, besides to install the KB and set the DefaultSecureProtocols registry entries, I also need to add the following keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
“DisabledByDefault”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000

girish

@rfg Thanks for the update!

murgero

@rfg You should upgrade to Windows 10 (It's free for crying out loud ) and Office 365. I have no issues using the latest.

Also, can you please amend your title to say "Outlook 2007" so users using the latest Outlook program do not get confused and follow the wrong directions to fix an issue?

If you would like, I can help you find an upgrade path to Win10 + O365 as well. Let me know!

d19dotca

@girish This has come to bite me too now for one of my clients, after we got past the blacklisted IP on Spamhaus, we determined that the second issue is that they are on an old version of macOS and it seems to not support TLSv1.1 nor TLSv1.2.

Logs:

Jun 10 21:31:33 [INFO] [096611F0-ACB5-4CC0-8D6C-42395E10661B] [access] whitelist: true, pass:connect.rdns_access.whitelist
Jun 10 21:31:34 [INFO] [096611F0-ACB5-4CC0-8D6C-42395E10661B] [helo.checks] helo_host: [10.0.0.183], pass:bare_ip, host_mismatch, fail:rdns_match(literal), skip:dynamic(literal), valid_hostname(literal)
Jun 10 21:31:35 [INFO] [096611F0-ACB5-4CC0-8D6C-42395E10661B] [core] client [<ClientIPaddress>] connection error: Error: 140689161090944:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1686:
Jun 10 21:31:35 [NOTICE] [096611F0-ACB5-4CC0-8D6C-42395E10661B] [core] disconnect ip=<ClientIPaddress> rdns=<ISPhostname> helo=[10.0.0.183] relay=N early=N esmtp=Y tls=N pipe=N errors=0 txns=0 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="" time=1.967

While I can recommend they upgrade (and I will be recommending it for sure, I didn't realize they were so behind in macOS versions), it's also kind of hard to dictate what OS my clients run (at least at this stage since I didn't exactly have that in any contracts before). Is there a way I can temporarily enable TLSv1.0 support for them until they are done upgrading?

girish

@d19dotca Maybe you can try something like this:

1. docker exec -ti mail /bin/bash
2. Edit /run/haraka/config/tls.ini
3. Add the secureProtocol line like below (be careful not to add it to the end since it has to be outside any section):

; default tls version and ciphers come from node (better to upgade node than set them here)

secureProtocol = TLSv1_method

[no_tls_hosts]
172.18.0.0/16
127.0.0.1

4. supervisorctl restart haraka

Does it work after that?

Unfortunately, the above changes are not persisted. So, you have to make the changes on server restart and sometimes on cloudron update (if we updated the mail container).

girish

https://help.nexcess.net/77209-third-party-email-clients/how-to-allow-outlook-to-connect-over-tls-1112 has the registry instructions.