SOLVED [CPANEL-28089] Dovecot TLS configuration reset upon update

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,902
2,227
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

Here's a quote of my response at SOLVED - Error: Your server does not support the connection encryption type you have specified for anyone seeking more information about TLS 1.2 support in email applications:

Hello Everyone,

I put together the following overview of this topic for anyone seeing this thread for the first time:

Reported Issue
Attempting to send or receive emails using email applications or operating systems which lack support for Transport Layer Security (TLS) Version 1.2 can result in error messages such as the one below:

error (0x800CCC1A) : 'Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.'

Do you know of any additional error messages that should appear above? Reply to this thread to let us know! Thanks!

Technical Summary
Exim and Dovecot utilize OpenSSL as a means of providing secure connections between email applications and your server. Here's a quote from our documentation describing OpenSSL's two primary settings:

TLS version 1.2 is enabled as the default protocol for cPanel & WHM services (e.g. Exim, Dovecot). Thus, if an email application or operating system does not support the use of TLS version 1.2, then attempts to send or receive email will fail with errors like the one included above.

Recommended Solution
Modifying the default cipher and protocol settings for Exim and Dovecot in order to permit less secure connections between legacy email applications and your cPanel & WHM server is not recommended. While such actions are effective at quickly restoring the ability for legacy email applications to send and receive email, it comes at the expense of operating a less secure server.

The recommended approach is to communicate this security knowledge to the person using the legacy email application and/or legacy operating system. Encourage updates to, and adoption of, email applications and operating systems that support modern cipher and protocol requirements.

Or, in the case of users experiencing this issue on Windows 7, it's possible to enable TLS 1.2 using the instructions in the document linked below:

How To Configure Microsoft Windows 7 to use TLS Version 1.2

Additional Reading

For more technical details about Cipher/Protocol settings and overall SSL logic with cPanel & WHM, see the below documents:

How To Adjust Cipher Protocols
Guide To SSL
SSL Installation and Precedence Logic

What about TLS version 1.3?

You can track the status of TLS 1.3 support on the following feature request: Support For TLS 1.3

Additional Feedback/Questions
Feel free to reply to this thread with any additional questions or feedback related to this topic.

Thank you.