Hi Eric,
Hi Quinn,
thanks a lot for your help. I couldn't find the error, but hope on your
patch.
I have no other server to help my customers, so they can only have the
choice to use roundcube until it is fixed.
Maybe the attached log from testssl.sh can help a bit?
I couldn't find a way to set the cipher-order in qmail. Maybe I haven't
searched in the right list- archives?
Andreas
Am 24.10.22 um 17:57 schrieb Eric Broch:
I'm going to have to write a server side patch so we can determine the
problem.
On 10/24/2022 9:53 AM, Andreas wrote:
Ok, I just tried with Outlook 2019 on port 465, it doesn't work either.
It times out.
Am 24.10.22 um 17:22 schrieb Eric Broch:
did you try smtps port 465?
On 10/24/2022 9:13 AM, Andreas wrote:
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
#TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
TCP_CDB="/etc/tcprules.d/tcp.subm.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPAUTH="!"
exec /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c
"$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
$SMTPD $VCHKPW /bin/true 2>&1
Am 24.10.22 um 17:12 schrieb Eric Broch:
cat /var/qmail/supervise/submission/run
send results
On 10/24/2022 9:03 AM, Andreas wrote:
Hi Eric,
spamdyke is only in the mix with smtp, not with submission.
andreas
Am 24.10.22 um 15:55 schrieb Eric Broch:
is spamdyke in the mix?
On 10/24/2022 7:53 AM, Andreas wrote:
It is setup to use submission, someones use starttls some
automatic.
Andreas
Am 24.10.22 um 15:51 schrieb Eric Broch:
How is your SMTP set up in Outlook?
On 10/24/2022 7:50 AM, Andreas wrote:
Hi Eric,
that's right.
IMAP is OK
Andreas
Am 24.10.22 um 15:49 schrieb Eric Broch:
Sending emails would be a qmail issue wouldn't it? Not a
imap issue, right?
On 10/24/2022 7:45 AM, Andreas wrote:
Hi Eric,
Yes, it is only a issue when trying to send mails.
Retrieving mails is OK
Andreas
Am 24.10.22 um 15:30 schrieb Eric Broch:
Is this only a imap issue?
On 10/24/2022 6:46 AM, Andreas wrote:
Hi Eric,
with LEGACY it still doesn't work.
I tried FUTURE and get the following in dovecot-logs:
Error: Failed to initialize SSL server context: Can't
load SSL certificate (ssl_cert setting):
error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee
key too small: user=<>, rip=xx.xx.xx.xx, lip=xx.xx.xx.xx,
session=<HBCFFMfrgdROXk9Z>
Andreas
Am 24.10.22 um 14:24 schrieb Eric Broch:
What does this command yield?
update-crypto-policies --show
update-crypto-policies --set DEFAULT
update-crypto-policies --set LEGACY
update-crypto-policies --set FUTURE
On 10/24/2022 5:12 AM, Andreas wrote:
Hi list,
I have read the discussion and fix.
I have installed dovecot--2.3.19.1-2.x86_64 and
dovecot-mysql-2.3.19.1-2.x86_64
on RockyLinux 8
Since last update on Microsoft and Outlook they cannot
send emails.
In the log I dont see any error, on the client:
Task "myuser@... - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption
type you have
specified. Try changing the encryption method. Contact
your mail server
administrator or internet service provider (ISP) for
additional assistance.'
Do you have any advice how I could change the server
settings?
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
�[1m
###########################################################
testssl.sh 3.0.6 from �[m�[1mhttps://testssl.sh/�[m
�[1m
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ �[m�[1mhttps://testssl.sh/bugs/�[m
�[1m
###########################################################�[m
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~179 ciphers]
on TP-AG:./bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
�[7m Start 2022-10-24 23:13:15 -->> xx.xx.x.xx:587 (send.mail,server)
<<--�[m
rDNS (xx.xx.x.xx): send.mail,server.
Service set: STARTTLS via SMTP
�[1m�[4m Testing protocols �[m�[4mvia sockets �[m
�[1m SSLv2 �[m�[1;32mnot offered (OK)�[m
�[1m SSLv3 �[mlikely �[1;32mnot offered (OK), �[m�[0;35mreceived 4xx/5xx
after STARTTLS handshake�[m, rerun with DEBUG>=2 or --ssl-native
�[1m TLS 1 �[m�[1;33moffered�[m (deprecated)
�[1m TLS 1.1 �[m�[1;33moffered�[m (deprecated)
�[1m TLS 1.2 �[m�[1;32moffered (OK)�[m
�[1m TLS 1.3 �[m�[1;32moffered (OK)�[m: final
�[1m�[4m Testing cipher categories �[m
�[1m NULL ciphers (no encryption) �[m�[1;32mnot offered (OK)�[m
�[1m Anonymous NULL Ciphers (no authentication) �[m�[1;32mnot offered (OK)�[m
�[1m Export ciphers (w/o ADH+NULL) �[m�[1;32mnot offered (OK)�[m
�[1m LOW: 64 Bit + DES, RC[2,4] (w/o export) �[m�[0;32mnot offered (OK)�[m
�[1m Triple DES Ciphers / IDEA �[mnot offered
�[1m Obsolete CBC ciphers (AES, ARIA etc.) �[m�[1;33moffered�[m
�[1m Strong encryption (AEAD ciphers) �[m�[1;32moffered (OK)�[m
�[1m�[4m Testing robust (perfect) forward secrecy�[m�[4m, (P)FS -- omitting
Null Authentication/Encryption, 3DES, RC4 �[m
�[0;32m PFS is offered (OK)�[m TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM
DHE-RSA-AES256-SHA TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA
�[1m Elliptic curves offered: �[m�[0;32mprime256v1�[m �[0;32msecp384r1�[m
�[0;32msecp521r1�[m �[0;32mX25519�[m �[0;32mX448�[m
�[1m DH group offered: �[m�[3mUnknown DH group�[m (�[0;32m2048
bits�[m)
�[1m�[4m Testing server preferences �[m
�[1m Has server cipher order? �[m�[0;31mno (NOT ok)�[m
�[1m Negotiated protocol �[m�[1;32mTLSv1.3�[m
�[1m Negotiated cipher �[m�[1;32mTLS_AES_256_GCM_SHA384�[m,
�[0;32m253 bit ECDH (X25519)�[m (limited sense as client will pick)
�[1m Negotiated cipher per proto�[m (limited sense as client will pick)
ECDHE-RSA-AES256-SHA: TLSv1, TLSv1.1
ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
TLS_AES_128_GCM_SHA256: TLSv1.3
No further cipher order check has been done as order is determined by the
client
�[1m�[4m Testing server defaults (Server Hello) �[m
�[1m TLS extensions (standard) �[m"renegotiation info/#65281" "EC point
formats/#11" "session ticket/#35" "supported versions/#43"
"key share/#51" "supported_groups/#10" "max
fragment length/#1" "encrypt-then-mac/#22"
"extended master secret/#23"
�[1m Session Ticket RFC 5077 hint �[m7200 seconds, session tickets keys seems
to be rotated < daily
�[1m SSL Session ID support �[myes
�[1m Session Resumption �[mTickets no, ID: no
�[1m TLS clock skew�[m Random values, no fingerprinting possible
�[1m Signature Algorithm �[m�[0;32mSHA256 with RSA�[m
�[1m Server key size �[mRSA 2048 bits
�[1m Server key usage �[mDigital Signature, Key Encipherment
�[1m Server extended key usage �[mTLS Web Server Authentication, TLS Web
Client Authentication
�[1m Serial / Fingerprints �[m0461F2D848E49073DCBC14927D28811F5C93 /
SHA1 BCF3B9D0C5D7635C9DD825C1A717CB0F5AE29A52
SHA256
22DE807DABCBEF115E8752CDB815708197085923EB69A782ACB6E2169A58A306
�[1m Common Name (CN) �[m�[3msend.mail,server �[m
�[1m subjectAltName (SAN) �[m�[3msend.mail,server �[m
�[1m Issuer �[m�[3mR3�[m (�[3mLet's Encrypt�[m from
�[3mUS�[m)
�[1m Trust (hostname) �[m�[0;32mOk via SAN�[m (same w/o SNI)
�[1m Chain of trust�[m �[0;32mOk �[m�[0;35m�[m
�[1m EV cert�[m (experimental) no
�[1m ETS/"eTLS"�[m, visibility info not present
�[1m Certificate Validity (UTC) �[m�[0;32m89 >= 30 days�[m (2022-10-24 08:31
--> 2023-01-22 08:31)
�[1m # of certificates provided�[m 3
�[1m Certificate Revocation List �[m--
�[1m OCSP URI �[mhttp://r3.o.lencr.org
�[1m OCSP stapling �[m�[1;33mnot offered�[m
�[1m OCSP must staple extension �[m--
�[1m DNS CAA RR�[m (experimental) �[1;33mnot offered�[m
�[1m Certificate Transparency �[m�[0;32myes�[m (certificate extension)
�[1m�[4m Testing vulnerabilities �[m
�[1m Heartbleed�[m (CVE-2014-0160) �[1;32mnot vulnerable
(OK)�[m, no heartbeat extension
�[1m CCS�[m (CVE-2014-0224) �[1;32mnot vulnerable (OK)�[m
�[1m ROBOT �[m�[1;32mnot vulnerable (OK)�[m
�[1m Secure Renegotiation (RFC 5746) �[m�[1;32msupported (OK)�[m
�[1m Secure Client-Initiated Renegotiation �[m�[0;33mVULNERABLE (NOT
ok)�[m, potential DoS threat
�[1m CRIME, TLS �[m(CVE-2012-4929) �[0;32mnot vulnerable (OK)�[m
(not using HTTP anyway)
�[1m POODLE, SSL�[m (CVE-2014-3566) �[1;32mnot vulnerable
(OK)�[m, no SSLv3 support
�[1m TLS_FALLBACK_SCSV�[m (RFC 7507) �[0;32mDowngrade attack
prevention supported (OK)�[m
�[1m SWEET32�[m (CVE-2016-2183, CVE-2016-6329) �[1;32mnot vulnerable (OK)�[m
�[1m FREAK�[m (CVE-2015-0204) �[1;32mnot vulnerable (OK)�[m
�[1m DROWN�[m (CVE-2016-0800, CVE-2016-0703) �[1;32mnot vulnerable on this
host and port (OK)�[m
make sure you don't use this
certificate elsewhere with SSLv2 enabled services
https://censys.io/ipv4?q=22DE807DABCBEF115E8752CDB815708197085923EB69A782ACB6E2169A58A306
could help you to find out
�[1m LOGJAM�[m (CVE-2015-4000), experimental �[0;32mnot vulnerable
(OK):�[m no DH EXPORT ciphers, no common prime detected
�[1m BEAST�[m (CVE-2011-3389) TLS1:
�[1;33mECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA AES128-SHA
�[m
�[1;33mVULNERABLE�[m -- but also
supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated)
�[1m LUCKY13�[m (CVE-2013-0169), experimental potentially
�[1;33mVULNERABLE�[m, uses cipher block chaining (CBC) ciphers with TLS. Check
patches
�[1m RC4�[m (CVE-2013-2566, CVE-2015-2808) �[0;32mno RC4 ciphers
detected (OK)�[m
�[1m�[4m Testing 370 ciphers via OpenSSL plus sockets against the server,
ordered by encryption strength �[m
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits
Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
x1302 TLS_AES_256_GCM_SHA384 ECDH�[0;32m 253�[m AESGCM 256
TLS_AES_256_GCM_SHA384
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH�[0;32m 253�[m ChaCha20 256
TLS_CHACHA20_POLY1305_SHA256
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH�[0;32m 521�[m AESGCM 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH�[0;32m 521�[m AES 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x9f DHE-RSA-AES256-GCM-SHA384 DH�[0;32m 2048�[m AESGCM 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH�[0;32m 521�[m ChaCha20 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xccaa DHE-RSA-CHACHA20-POLY1305 DH�[0;32m 2048�[m ChaCha20 256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc09f DHE-RSA-AES256-CCM DH�[0;32m 2048�[m AESCCM 256
TLS_DHE_RSA_WITH_AES_256_CCM
x39 DHE-RSA-AES256-SHA DH�[0;32m 2048�[m AES 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
x9d AES256-GCM-SHA384 RSA AESGCM 256
TLS_RSA_WITH_AES_256_GCM_SHA384
xc09d AES256-CCM RSA AESCCM 256
TLS_RSA_WITH_AES_256_CCM
x35 AES256-SHA RSA AES 256
TLS_RSA_WITH_AES_256_CBC_SHA
x1301 TLS_AES_128_GCM_SHA256 ECDH�[0;32m 253�[m AESGCM 128
TLS_AES_128_GCM_SHA256
x1304 TLS_AES_128_CCM_SHA256 ECDH�[0;32m 253�[m AESCCM 128
TLS_AES_128_CCM_SHA256
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH�[0;32m 521�[m AESGCM 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc013 ECDHE-RSA-AES128-SHA ECDH�[0;32m 521�[m AES 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x9e DHE-RSA-AES128-GCM-SHA256 DH�[0;32m 2048�[m AESGCM 128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
xc09e DHE-RSA-AES128-CCM DH�[0;32m 2048�[m AESCCM 128
TLS_DHE_RSA_WITH_AES_128_CCM
xc09c AES128-CCM RSA AESCCM 128
TLS_RSA_WITH_AES_128_CCM
x33 DHE-RSA-AES128-SHA DH�[0;32m 2048�[m AES 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
x9c AES128-GCM-SHA256 RSA AESGCM 128
TLS_RSA_WITH_AES_128_GCM_SHA256
x2f AES128-SHA RSA AES 128
TLS_RSA_WITH_AES_128_CBC_SHA
�[1m�[4m Running client simulations �[m�[1m�[4mvia sockets �[m
Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, �[0;32m253
bit ECDH (X25519)�[m
Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256, �[0;32m253 bit
ECDH (X25519)�[m
Android 10.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256, �[0;32m253 bit
ECDH (X25519)�[m
Java 6u45 TLSv1.0 AES128-SHA, No FS
Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, �[0;32m256 bit ECDH
(P-256)�[m
Java 8u161 TLSv1.2 ECDHE-RSA-AES256-SHA, �[0;32m256 bit ECDH
(P-256)�[m
Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256, �[0;32m256 bit
ECDH (P-256)�[m
Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256, �[0;32m256 bit
ECDH (P-256)�[m
OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, �[0;32m256
bit ECDH (P-256)�[m
OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, �[0;32m253
bit ECDH (X25519)�[m
OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384, �[0;32m253 bit
ECDH (X25519)�[m
Thunderbird (68.3) TLSv1.3 TLS_AES_128_GCM_SHA256, �[0;32m253 bit
ECDH (X25519)�[m
�[7m Done 2022-10-24 23:14:28 [ 75s] -->> xx.xx.x.xx:587 (send.mail,server)
<<--�[m
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
