SOLVED [CPANEL-28089] Dovecot TLS configuration reset upon update

Varlyga

Registered
Jun 14, 2019
3
0
1
Casablanca
cPanel Access Level
DataCenter Provider
Fixed right now by doing those stuff with my colleagues:
(Yes, this break down some security ...etc), but we have to fix it until cPanel help.

Home » Service Configuration » Mailserver Configuration

SSL Cipher List:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS



SSL Minimum Protocol: TLSv1.2


Home » Service Configuration » Exim Configuration Manager

Options for OpenSSL:
+no_sslv2 +no_sslv3

SSL/TLS Cipher Suite List:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Security :
Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. from “On” to “Off"
 

jamiepenner

Member
Aug 30, 2016
16
3
3
Vancouver Island, BC
cPanel Access Level
Root Administrator
I guess there's no real "fix" to this other than it not happening again and finding a way to recover your old settings if you don't have a backup. What would have been nice is if a backup file had been created of the original configuration file before the update. Does that exist anywhere for recovery?

So far, none of the option changes here have fully resolved it for us as we are still getting reports of users not able to pickup mail.
 

sneader

Well-Known Member
Aug 21, 2003
1,168
53
178
54
La Crosse, WI
www.qth.com
cPanel Access Level
Root Administrator
I would also like to know if the dovecot.conf file is backed up anywhere (part of the cPanel nightly backup?) If not, I wonder if @cPanelMichael might be willing to look into this. I hope it isn't something that would require a feature request.

- Scott
 

jamiepenner

Member
Aug 30, 2016
16
3
3
Vancouver Island, BC
cPanel Access Level
Root Administrator
I guess my big question at this point that I'm not sure has been answered is, is this JUST configuration changes or has some of the old encryption code been removed and some users simply won't be able to get back on without an update to the software.

I have checked with a client's cPanel backup on their VPS and the dovecot.conf does not appear to get backed up. I'm awaiting a senior analyst with Jetbackup's team to hear if we can extract a dovecot.conf from a disaster recovery backup.

The fact that we've made adjustments that are noted here and are still having some users not getting logged in is pointing the fact that this is more than just reconfiguring...
 
  • Like
Reactions: sneader

Varlyga

Registered
Jun 14, 2019
3
0
1
Casablanca
cPanel Access Level
DataCenter Provider
Based on my last fix (I try to help people with something I tested and used on my servers), the problem is solved for users Outlook 2007/2010 (port 110 pop3 without encryption or port 143 imap without encryption and port 587 smpt with automatic encryption).
Again, this is a temporary workaround until cPanel team fix this case.

Thank you !
 

jamiepenner

Member
Aug 30, 2016
16
3
3
Vancouver Island, BC
cPanel Access Level
Root Administrator
Based on my last fix (I try to help people with something I tested and used on my servers), the problem is solved for users Outlook 2007/2010 (port 110 pop3 without encryption or port 143 imap without encryption and port 587 smpt with automatic encryption).
Again, this is a temporary workaround until cPanel team fix this case.

Thank you !
heh... And unfortunately, we converted everyone over to SSL-only mail and don't allow unencrypted connections so we're hurting! I'm about done with email hosting at this point...
 
  • Like
Reactions: sneader

bgarrant

Well-Known Member
Jun 27, 2012
70
9
8
www.garrant.com
cPanel Access Level
Root Administrator
Is this the best way to allow older email clients like Outlook 2000 to connect now?

Home » Service Configuration » Mailserver Configuration

SSL Cipher List:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

SSL Minimum Protocol: SSLv3

Home » Service Configuration » Exim Configuration Manager

Options for OpenSSL:
+no_sslv2

SSL/TLS Cipher Suite List:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

Security :
Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server. from “On” to “Off"
 

jndawson

Well-Known Member
Aug 27, 2014
227
21
18
Western US
cPanel Access Level
DataCenter Provider
Is there any update on this issue? The workarounds are less than acceptable from a security standpoint. Wading through backups to find the previous settings could be an exercise in futility as the next system update may reset everything again.
 

rainboy

Active Member
Mar 2, 2004
29
0
151
47
Eindhoven
www.040hosting.eu
Wondering about information as well (subscribing to this thread).

Obviously the only solution is to make sure clients use at least TLS 1.2 but that is sometimes not possible and leaves action to the clients who do not understand why this suddenly happens to them. While i agree they should switch to TLS 1.2 they should have been given a heads up in a proper way not by just pulling the plug which cPanel seems to have done here.
 
Last edited:

jndawson

Well-Known Member
Aug 27, 2014
227
21
18
Western US
cPanel Access Level
DataCenter Provider
I see update 80.0.20 is addressing this case:

Fixed case CPANEL-28089: Correctly generate ssl_min_protocol based on the value of ssl_protocols, when applicable.

What exactly will that do?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
Hello Everyone,

cPanel & WHM version 80.0.20 was published to the CURRENT release tier with a fix to prevent this from happening in the future. I've updated my earlier post with new information:

Post 2677051

Thank you.
 

belindaj

Member
Jul 24, 2003
16
1
153
Visit site
I wanted to share some information for others who might still be coming across this issue - I upgraded servers this past week and sure enough I have one account with one person still on Windows 7.No matter what I tried yesterday nothing could get SMTP working on TLS for her, and I of course did not want to revert security on the new server for one individual on an outdated desktop. I came across an excellent VISUAL step-by-step tutorial for editing the registry to add TLS support to Windows 7 and it worked PERFECTLY and was about a 3 minute task on that desktop. Huge THANKS to Accu Web Hosting for the excellent knowledge base article: manage.accuwebhosting.com/knowledgebase/3008/How-do-I-enable-TLS-12-on-Windows-7.html
 
Last edited by a moderator:
  • Like
Reactions: sneader