Package: offlineimap Version: 7.1.2+dfsg1-2 Severity: important As reported on the mailing list, offlineimap can no longer connect to the large number of insecure imap servers which still use TLS 1.0 or TLS 1.2, over which users have no control. This was the result of Kurt Roecke disabling those protocols in the Debian openssl packages.
He has now released version openssl (1.1.0f-5) which now allows those protocols to be used in restricted circumstances. From the changelog comment: "Instead of completly disabling TLS 1.0 and 1.1, just set the minimum version to TLS 1.2 by default. TLS 1.0 and 1.1 can be enabled again by calling SSL_CTX_set_min_proto_version() or SSL_set_min_proto_version()" So the Debian package must now call those procedures to enable connection to many imap servers. As far as I have seen, Kurt did not comment about this on the offlineimap thread, so this is my interpretation of what is required. In any case, offlineiamp 7.1.2+dfsg1-2 is currently failing to connect with the message as before OpenSSL responded: [SSL: VERSION_TOO_LOW] version too low (_ssl.c:661) *** Finished account 'ntlspam' in 0:00 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 4.11.0-1-686-pae (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages offlineimap depends on: ii python 2.7.13-2 ii python-imaplib2 2.57-1 ii python-six 1.10.0-4 Versions of packages offlineimap recommends: ii python-socks 1.6.5-1 Versions of packages offlineimap suggests: pn python-kerberos <none> -- no debconf information