One of our RHEL7 InterWorx Servers had updates to mail packages last night, and today one of the domains where the client uses Outlook 2010 gets the following message when they try to send mail :
"Sending reported error (0x800CCC80) : ‘None of the authentication methods supported by this client are supported by your server.’
Due to ISP restrictions they’re sending through port 587 which we have set to SMTP-AUTH over TLS required. It’s worked fine until this point, so we’re wondering if the recent update made any changes to the TLS requirements?
Just a thought, they might have removed support for older TLS. I did this myself a while back so I could past those PCI test. I think on some Windows 7 computers you have to change some config so that they will use the updated TLS as well. Not sure if this is your issue, but worth looking into.
Thank you Sir… That was my thought as well and it turned out to be the case. We did the Registry changes on the affected machines as documented by Microsoft and the issue was resolved.
So, it seems it’s more widespread than a few older Outlook clients having issues. Is there any way to re-enable the support for the older TLS versions?
Those are the same updates that led to our issue. When we made the modifications to the Windows Registry to enable TLS 1.1 and 1.2 in the clients experiencing issues, their problem went away (Enabling TLS 1.1 and 1.2 in Outlook on Windows 7 | Microsoft Learn). We have however, run into an issue sending from an older Interworx mail server still running on CentOS 5 to the updated server. The messages eventually bounce back as undeliverable with :
TLS not available: connect failed: error:00000000:lib(0):func(0):reason(0)
We’re in process of working to migrate domains off that server, but for the moment it’s an issue.
I believe you can control the protocols via NodeWorx SSL settings (https://yourserver.com:2443/nodeworx/ssl). When I originally worked on this I was editing the config files directly on the shell, but don’t think this is needed anymore. I’m guessing you can just add support back in for older TLS for now. I think InterWorx just removed them because those old TLS protocol are not secure anymore, but doubt they will specifically block you from adding it back.
I?m sorry I was nearly correct in a fashion but Jenna let me as below
Many thanks
John
Hello–
For that email issue, the latest update set TLS 1.1 as the default, which could affect older mail clients that do not have that option. If anyone puts in a ticket, they can resolve this by creating a file called /var/qmail/control/tlsprotocol and add: TLSv1+