Announcement

Collapse
No announcement yet.

Issues with Outlook 2010 Sending Mail following RHEL7 QMail update...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issues with Outlook 2010 Sending Mail following RHEL7 QMail update...

    Good afternoon.

    One of our RHEL7 InterWorx Servers had updates to mail packages last night, and today one of the domains where the client uses Outlook 2010 gets the following message when they try to send mail :

    "Sending reported error (0x800CCC80) : 'None of the authentication methods supported by this client are supported by your server.'

    Due to ISP restrictions they're sending through port 587 which we have set to SMTP-AUTH over TLS required. It's worked fine until this point, so we're wondering if the recent update made any changes to the TLS requirements?

    Thanks!

    Phil D. Malmstrom
    philm@diamondcomputer.com

  • Bertie
    replied
    Also to update this thread - This also effects people on older macOS versions - 10.11.x and before. I believe updating to the more updated versions of macOS will resolve the problem if they are able to. Otherwise the fix of allowing 1.0 connections again will make it work as well.

    Leave a comment:


  • diamondcomputer
    replied
    Originally posted by d2d4j View Post
    Hi Bertie and Phill

    I believe I have this figured out

    You need to create the file tlsprotocol (/var/qmail/control) and if you add the following into the new file, you will enable TLSv1 as follows:

    SSH into server

    vi /var/qmail/control/tlsprotocol

    HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW

    Save

    service smtp restart

    Hope that helps a little

    Many thanks

    John

    Test before tlsprotocol added - no TLSv1

    Testing protocols via sockets

    SSLv2 not offered (OK)
    SSLv3 not offered (OK)
    TLS 1 not offered
    TLS 1.1 offered
    TLS 1.2 offered (OK)
    TLS 1.3 not offered

    Test after tlsprotocol added - TLSv1 now available

    Testing protocols via sockets

    SSLv2 not offered (OK)
    SSLv3 not offered (OK)
    TLS 1 offered
    TLS 1.1 offered
    TLS 1.2 offered (OK)
    TLS 1.3 not offered
    Hi John.

    Thanks so much for your help... That did the trick!

    Have a great day!

    -Phil

    Leave a comment:


  • d2d4j
    replied
    Hi Bertie, phill and Justin

    Iím sorry I was nearly correct in a fashion but Jenna let me as below

    Many thanks

    John

    Hello--

    For that email issue, the latest update set TLS 1.1 as the default, which could affect older mail clients that do not have that option. If anyone puts in a ticket, they can resolve this by creating a file called /var/qmail/control/tlsprotocol and add: TLSv1+

    cat /var/qmail/control/tlsprotocol
    TLSv1+

    Leave a comment:


  • d2d4j
    replied
    Hi Bertie and Phill

    I believe I have this figured out

    You need to create the file tlsprotocol (/var/qmail/control) and if you add the following into the new file, you will enable TLSv1 as follows:

    SSH into server

    vi /var/qmail/control/tlsprotocol

    HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW

    Save

    service smtp restart

    Hope that helps a little

    Many thanks

    John

    Test before tlsprotocol added - no TLSv1

    Testing protocols via sockets

    SSLv2 not offered (OK)
    SSLv3 not offered (OK)
    TLS 1 not offered
    TLS 1.1 offered
    TLS 1.2 offered (OK)
    TLS 1.3 not offered

    Test after tlsprotocol added - TLSv1 now available

    Testing protocols via sockets

    SSLv2 not offered (OK)
    SSLv3 not offered (OK)
    TLS 1 offered
    TLS 1.1 offered
    TLS 1.2 offered (OK)
    TLS 1.3 not offered

    Leave a comment:


  • Justec
    replied
    I believe you can control the protocols via NodeWorx SSL settings (https://yourserver.com:2443/nodeworx/ssl). When I originally worked on this I was editing the config files directly on the shell, but don't think this is needed anymore. I'm guessing you can just add support back in for older TLS for now. I think InterWorx just removed them because those old TLS protocol are not secure anymore, but doubt they will specifically block you from adding it back.

    This thread I shared above should shed a bit more light on this: https://forums.interworx.com/forum/n...te-import-idea

    Leave a comment:


  • d2d4j
    replied
    Hi Bertie

    Many thanks and sorry not in front of a computer- using Tapatalk from mobile

    It would be tlsservercipher I think from memory

    Please remember to restart email services

    Many thanks

    John

    Leave a comment:


  • Bertie
    replied
    Yeah I'm just trying to work out if the QMAIL updates have indeed changed anything or it hasn't but one of the upcoming Interworx updates (that hasn't been done on this server) will change it instead. I've had a look in /var/qmail/control and I do not see a file or folder called: tlsprotocol.

    The only files I can see are the following:

    tlsclientciphers
    tlsserverciphers
    Last edited by Bertie; 02-07-2019, 10:40 AM.

    Leave a comment:


  • d2d4j
    replied
    Hi Bertie and phill

    I would check the qmail tlsprotocol file shown in changelog above and make sure tlsv1 is not ! out or add tlsv1 back in

    Phill, the issue is tlsv1 has been disabled so your 5 server cannot agree/use that protocol

    You could whitelist the server ip as trusted in nodeworx I think

    Bertie, those updated files look like itís updated to newer versions

    Please remember to stop/start email services once any changes have been made for them to take effect

    Many thanks

    John

    Leave a comment:


  • diamondcomputer
    replied
    Originally posted by Bertie View Post

    Thanks John - I don't think our clients issue is probably related to this then. Ah well, was a thought. As it seems the IW server they are on hasn't been updated for quite a few months and is still on: InterWorx-CP v6.1.26.

    Although I have noticed in the software updates history table - There has been updates to qmail-pop3d, qmail, courier-imap on the 6th Feb. We also have HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW mentioned in the tlsserverciphers file.
    Hi Bertie.

    Those are the same updates that led to our issue. When we made the modifications to the Windows Registry to enable TLS 1.1 and 1.2 in the clients experiencing issues, their problem went away (https://blogs.technet.microsoft.com/...-on-windows-7/). We have however, run into an issue sending from an older Interworx mail server still running on CentOS 5 to the updated server. The messages eventually bounce back as undeliverable with :

    TLS not available: connect failed: error:00000000:lib(0):func(0):reason(0)

    We're in process of working to migrate domains off that server, but for the moment it's an issue.

    -Phil

    Leave a comment:


  • Bertie
    replied
    Originally posted by d2d4j View Post
    Hi Bertie

    I hope your well

    I think it must be the IW RC update to 6.3.1 as changelog shows

    ◾Updated the default TLS form qmail to TLS1.1+ for better compliance with PCI scans. This can be overridden at /var/qmail/control/tlsprotocol

    https://www.interworx.com/developers...-1-build-1631/

    so looking back, I think the protocols were

    HIGH:!MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NU LL:!LOW:!RC4

    and now are

    ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!D ES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

    Many thanks

    John
    Thanks John - I don't think our clients issue is probably related to this then. Ah well, was a thought. As it seems the IW server they are on hasn't been updated for quite a few months and is still on: InterWorx-CP v6.1.26.

    Although I have noticed in the software updates history table - There has been updates to qmail-pop3d, qmail, courier-imap on the 6th Feb. We also have HIGH:MEDIUM:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW mentioned in the tlsserverciphers file.

    Leave a comment:


  • d2d4j
    replied
    Hi Bertie

    I hope your well

    I think it must be the IW RC update to 6.3.1 as changelog shows

    ◾Updated the default TLS form qmail to TLS1.1+ for better compliance with PCI scans. This can be overridden at /var/qmail/control/tlsprotocol

    https://www.interworx.com/developers...-1-build-1631/

    so looking back, I think the protocols were

    HIGH:!MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NU LL:!LOW:!RC4

    and now are

    ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!D ES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH

    Many thanks

    John

    Leave a comment:


  • Bertie
    replied
    So this could be the issue one of my clients is facing - Only affects a couple of people and mainly an application that does seem to run on some sort of Windows Server. Will have to check what operating systems they are using to make sure. But it does seem odd as it only started occurring yesterday and we have had the same QMAIL updates as well by the looks of it.

    Does anyone know which cipher support they have removed?
    Last edited by Bertie; 02-07-2019, 09:06 AM.

    Leave a comment:


  • d2d4j
    replied
    Hi Phil

    If you login to nodeworx, server, ssl and you can then set your ciphers and protocols

    Please remember to restart services such as email etc to be sure

    If that does not work, you can edit the TLS-pop3s files etc for the protocols you want but I suspect the above should suffice

    Many thanks

    John

    Leave a comment:


  • diamondcomputer
    replied
    So, it seems it's more widespread than a few older Outlook clients having issues. Is there any way to re-enable the support for the older TLS versions?

    Thanks!

    -Phil

    Leave a comment:

Working...
X