cPanel 68 - TLS changes

sparek-3

Well-Known Member
Aug 10, 2002
2,021
226
368
cPanel Access Level
Root Administrator
Concerning the TLS changes that were made in the default settings for Exim (Dovecot too?) in cPanel 68. Is it safe to assume that if you are using a modern email client, one that has not reached end-of-life, then you would not experience any issues with this?

The changes to the default exim configuration basically disabled TLSv1, correct? All modern email clients should be capable of utilizing TLSv1.2 correct?

So if anyone has any issues sending out mail after this update, essentially they are using an old and outdated email client. Would that be a correct assumption?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
We disabled SSLv3 and TLSv1 in favor of acceptance of only TLSv1.2. All modern clients should be able to accept this though we do find that there are a large number of folks still using older versions of Outlook which required a patch from Microsoft located here: https://support.microsoft.com/en-us...-and-tls-1-2-as-a-default-secure-protocols-in

Though the newer Outlook clients such as Outlooks 2016 were NOT experiencing issues.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,021
226
368
cPanel Access Level
Root Administrator
That patch only applies to Windows 7 Service Pack 1. Is Windows 7 SP1 still in life?

At least that's what I read from that post. I've always had trouble following Microsoft's updates due to the numbering and foreign technical language they use for their updates.

I'm basically not wanting to capitulate to clients that want to continue to use really old, outdated, and no longer supported software. This is why Internet insecurities are such as mess now as it is, for years the Internet industries have been allowing clients to dictate their security - because they don't want to change. And as a result insecure security protocols (which aren't really secure) continue to operate.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hi @sparek-3

That patch only applies to Windows 7 Service Pack 1. Is Windows 7 SP1 still in life?
Extended support for Microsoft Windows 7 doesn't end until January 2020 based on https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet

I've always had trouble following Microsoft's updates due to the numbering and foreign technical language they use for their updates.
Couldn't agree with you more - it applies to the following:
Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 StandardWindows Server 2012 StandardWindows Server 2012 EssentialsWindows Server 2012 FoundationWindows Server 2012 FoundationWindows Server 2008 R2 Service Pack 1Windows Server 2008 R2 DatacenterWindows Server 2008 R2 EnterpriseWindows Server 2008 R2 StandardWindows Server 2008 R2 FoundationWindows Server 2008 R2 for Itanium-Based SystemsWindows 7 Service Pack 1Windows 7 UltimateWindows 7 EnterpriseWindows 7 ProfessionalWindows 7 Home PremiumWindows 7 Home BasicWindows 7 Starte
Windows 8.1 and higher came with support for TLSv1.2

I'm basically not wanting to capitulate to clients that want to continue to use really old, outdated, and no longer supported software. This is why Internet insecurities are such as mess now as it is, for years the Internet industries have been allowing clients to dictate their security - because they don't want to change. And as a result insecure security protocols (which aren't really secure) continue to operate.
I believe this is why we implemented the changes to not accept these protocols by default. The threats from POODLE and DROWN were too much to allow accepting these protocols as default behavior.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,021
226
368
cPanel Access Level
Root Administrator
Bottom Line - I'm just wanting to know if there are any "in-life" email clients out there that don't yet support TLSv1.2? Before I politely accuse clients of using outdated and end-of-life email clients. Mainly Microsoft clients, because I can't keep up with all the different versions of Outlook, Outlook Express, and Windows Live Mail that they have.

If an email client is still in life, and it doesn't support TLSv1.2 then the onus would seem to be on that email client's developer.

But if the email client is end-of-life, then the onus is on the hosting client for continuing to use such a product. Perhaps they were legitimately unaware of the issue, but that's kind of the point of disabling those insecure TLS versions... to get their attention on this matter. Don't be mad at your host for wanting your mail server connection to be (really) secure.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hi @sparek-3

The problem with the outlook clients was that Window's itself didn't have the support for TLSv1.2 the clients and Windows Operating systems past 7 should all support TLS1.2 even the Window's systems running 7 should be able to patch and receive the TLSv1.2 update so, no I do not believe there is anything, not EoL that doesn't accept the protocol.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,021
226
368
cPanel Access Level
Root Administrator
Thanks! This is helpful.

I would have thought that Windows Updates on a Windows 7 system would have installed this patch... but it's Microsoft and I don't understand a lot of their systems or how they work.

I do know that we've had some clients complain about Outlook 2007 not working. But as far as I can tell, Outlook 2007 is well beyond it's end-of-life.

I just don't have a lot of sympathy for people that want to continue to use end-of-life software and expect it to continue to work. It's like wondering why my TRS-80 or Commodore 64 won't get on the Internet.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
I would have thought that Windows Updates on a Windows 7 system would have installed this patch... but it's Microsoft and I don't understand a lot of their systems or how they work.
I too would have thought the same, but I believe a lot of people have their updates disabled or for some reason didn't get this.

I do know that we've had some clients complain about Outlook 2007 not working. But as far as I can tell, Outlook 2007 is well beyond it's end-of-life.
We got the most support requests on Outlook 2007 being unable to connect when the changes were introduced. The end of Extended support for Outlook 2007 was 10/10/2017

I just don't have a lot of sympathy for people that want to continue to use end-of-life software and expect it to continue to work. It's like wondering why my TRS-80 or Commodore 64 won't get on the Internet.
My first computer was a Commodore 64 we thought they were amazing then.