SOLVED [CPANEL-28089] Dovecot TLS configuration reset upon update

daflame

Member
Oct 7, 2015
6
0
1
Beloeil Canada
cPanel Access Level
Root Administrator
Since this morning, I can't RECEIVE emails with Outlook 2010 (POP3 and IMAP accounts). No problem to SEND emails. I get the error 800CCC1A for POP3 accounts using port 995 and SSL connexion. I also get the error 800CCC0E for IMAP accounts using port 993 and SSL connexion.

Otherwise, I am able to receive and send emails with Gmail App on my phone with IMAP accounts using port 993 and TLS/SSL connexion.

My cPanel version is v80.0.18. The SSL certificate seem to be fine. I see some updates in folder /etc/dovecot/ from today but not sure if it's related. Not sure either if I have to update cipher settings.

Someone can help me please? Thanks in advance!
 

glucz

Member
Jul 7, 2005
12
0
151
Same here. Some outlook versions cannot download mail. I now even have problems with the mail client on a mac. Some ciphers seem to have been removed. The problem goes away when SSL is turned off... although I would prefer weak encryption to no encryption anytime.
 

oplink

Registered
Oct 13, 2005
1
0
151
Same here

Logs show
Jun 23 18:31:09 cpanel1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxxx, lip=xxxx, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<dpkgFwaMrNRJc6J4>

Any details on why?
 

uk01

Well-Known Member
Dec 31, 2009
174
18
68
I've had several issues with a Mac tonight and spent 3 hours unpaid support time.

Various issues-
Unable to verify password (internet accounts)
Port 993 timed out

These are known Mac issues so I never thought it would be caused by Cpanel. However, I remembered that we had to adjust some cipher details due to older Macs which couldn't send.

Therefore I checked the mailserver settings in WHM and notice "SSL Minimum Protocol" is set to v1.3
This must have been enforced with Cpanel v80 on Friday/Saturday night but I can't find it anywhere in the change log?

Once I changed this back to TLSv1 Mac Mail works again. Now I know we are "supposed" to enforce v1.2 but we can't go falling out with all customers (which are also clients in our case) who have older Macs!

I just wish if Cpanel are enforcing it for PCI compliance they would have made us aware (unless I missed it?) as it has incurred me in 3 hours of time when we are very busy, I now get to bed at 4am!
 

sneader

Well-Known Member
Aug 21, 2003
1,167
53
178
54
La Crosse, WI
www.qth.com
cPanel Access Level
Root Administrator
I found that the update changed a Dovecot security setting on our servers. In WHM, under Service Configuration > Mailserver Configuration > SSL Minimum Protocol, cPanel managed to change this setting to the highest security setting, "TLS v1.2" on most of our servers, with a few of them changed to "TLS v1". This breaks email service for many customers that use slightly older email clients and/or operating systems.

We've fixed this, for now, by changing the SSL Minimum Protocol back to "SSL v3" and this has solved the problem for our customers.

- Scott
 

orlandobond

Registered
Feb 11, 2016
1
0
1
Romania
cPanel Access Level
Root Administrator
Most probably will work with TLSv1 as well.

To find if you have issue like this you can try to use:

grep "TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown" /var/log/maillog
 

4u123

Well-Known Member
PartnerNOC
Jan 2, 2006
866
15
168
I can confirm that we are also experiencing a ton of support requests in the last 48 hours - all related to Email and SSL/TLS and most of them Mac clients - some Android.

I don't see anything in the 80 changelog about any changes. Would like a response from cpanel about what's happened here.

We would like to have given some notice to our customers!
 

the_island

Registered
Jul 12, 2014
1
0
1
cPanel Access Level
Root Administrator
Same here.
Changed minimum SSL version to v3 and clients can download email again.

Not sure if this pauses a security threat, but companies had to receive their emails ...
 

gvard

Well-Known Member
PartnerNOC
Dec 22, 2003
202
6
168
40
Athens/GREECE
www.hyperhosting.net
cPanel Access Level
DataCenter Provider
Hello,

For some reason Dovecot reset the TLS configuration after the latest update. cPanel has opened an internal case number for this, which is CPANEL-28089. If you made changes to this value before, you'll need to roll them back to what they were before.

Version 68 of cPanel introduced new SSL ciphers to increase the security of the mail server; this enables TLS 1.2 and disables older SSL protocols such as TLS 1.0.

You can read more on this through the blog post here, TLS Changes in Version 68. TLS Changes in Version 68 | cPanel Blog

While cPanel makes every effort to ensure our product is as secure as possible, this does mean older operating systems and mail clients will be affected.

Due to Windows 7 being an older system, versions of Outlook (2007 & 2010) on Windows 7 can only offer TLS 1.0 and below. Microsoft did release a patch to resolve this and enable the newer protocols, TLS 1.1 and TLS 1.2. You can read more information on Microsoft's blog here: Enabling TLS 1.1 and 1.2 in Outlook on Windows 7

Please keep in mind this is not a defect or an issue with cPanel, but an incompatibility with outdated client software. Updating the client software to support TLS 1.2 will help maintain overall security.

There are two options to help resolve the issues you are currently facing. Please note, Option 1 is the recommended solution.

[Option 1]: (RECOMMENDED) To enable TLS 1.2 for Windows 7, you will need to patch your system to modify the registry. Be sure your system is fully updated through the update center, and then download and install the patch from Microsoft's website here: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

After that is installed, be sure to reboot your local computer as well to ensure the patch was applied. Once you're back online, please try to connect to the cPanel server again.

[Option 2]: (NOT RECOMMENDED) If you must enable TLS 1.0 on the WHM/cPanel server for compatibility, then in WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings:

Ensure that "Allow weak SSL/TLS ciphers" is "Off".

Change "SSL/TLS Cipher Suite List" to (this is one long line):
====
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
====

And change "Options for OpenSSL" to:
====
+no_sslv2 +no_sslv3
====

Then "Save" at the bottom of the page.

This will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0.

For Dovecot in WHM >> Home >> Service Configuration >> Mailserver Configuration:

Change "SSL Cipher List" to (this is one long line):
====
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
====

Change "SSL Minimum Protocol" to:
====
TLS1
====

Once that is enabled, or you have fully patched your Windows install, Windows should be able to connect to the server again.
 
  • Like
Reactions: verdon

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,206
363
cPanel Access Level
DataCenter Provider
Twitter
[Note: This post was updated on 06-26-2019 with updated information]

Hello Everyone,

Internal case CPANEL-28089 was opened to investigate reports of Dovecot configuration settings automatically reverting to the default values. This resulted in email client connectivity errors if the Dovecot settings were previously modified to allow for TLS compatibility with legacy email clients.

cPanel & WHM version 80.0.20 was published to the CURRENT release tier with a fix to ensure the Dovecot mail server configuration settings are preserved upon future updates:

Fixed case CPANEL-28089: Correctly generate ssl_min_protocol based on the value of ssl_protocols, when applicable.

The full change log is available on the link below:

80 Change Log - Change Logs - cPanel Documentation

Note this fix does not automatically restore the configuration values that were reset during prior updates. On affected servers, administrators must browse to WHM >> Mailserver Configuration and adjust the settings to their preferred values.

If you are unsure which configuration changes to make for compatibility with legacy email clients, click here to see a discussion of specific configuration changes known to help.

Additionally, you can use the following WHM API 1 function if you need to make changes to the Dovecot configuration settings via the command line:

WHM API 1 Functions - set_service_config_key - Developer Documentation - cPanel Documentation

For example, the following command will set the Dovecot "SSL Minimum Protocol" value to TLSv1.2:

Code:
whmapi1 set_service_config_key api.version=1 service=dovecot key=ssl_min_protocol value=TLSv1.2
If "Back up System Files" is selected in WHM >> Backup Configuration and you have a backup available from before the issue started, then you can view an older copy of the Dovecot main file to determine which SSL protocol settings were reset.

For example, here are the commands to use for compressed backups if you have system backup files from 06-20-2019:

Code:
cd /backup/2019-06-20/system/dirs/
tar xvzf /backup/2019-06-20/system/dirs/_var_cpanel.tar.gz
grep ssl_ /backup/2019-06-20/system/dirs/var/cpanel/conf/dovecot/main
Here are the commands to use for incremental backups if you have system backup files from 06-20-2019:

Code:
grep ssl_ /backup/2019-06-20/system/dirs/_var_cpanel/conf/dovecot/main
You can then browse to WHM >> Mailserver Configuration and adjust the current settings to match the previous values.

Thank you.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,206
363
cPanel Access Level
DataCenter Provider
Twitter
Yes, we've seen this reset of configuration settings happening on a non-Cloudlinux server as well. Can provide IP via PM or otherwise if needed.
Thanks, I've confirmed additional affected systems include both CentOS and CloudLinux. I've removed the question from my previous response and will update this thread with more information shortly.

Thanks!