Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Outlook 2016 Sending Email Fails After Cipher Suite Update

Discussion in 'E-mail Discussions' started by linux4me2, Nov 6, 2017.

  1. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    185
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Last week, after the update to cPanel/WHM 68.0.9, we updated the cipher suites for all services including Exim and Dovecot. Today, I heard from a client using Win 7 and Outlook 2016 that she was unable to send or receive email. Her webmail was working fine.

    Outlook was giving her the error:
    We reverted the cipher suite for Dovecot and Exim to:
    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
    and after restarting the services, she was able to receive email, but still can't send without getting the error regarding encryption type.

    The SSL protocols in Dovecot are set to the same they were before the update:
    Code:
    TLSv1 TLSv1.1 TLSv1.2
    In Exim, we tried going back to:
    Code:
    +no_sslv2 +no_sslv3 +no_tlsv1
    and:
    Code:
    +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
    but neither helped.

    Is there some other setting, or some other service, that would be preventing Outlook 2016 from sending mail because of the encryption type?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,502
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Do you notice any specific output in /var/log/maillog or /var/log/exim_mainlog when this happens? Does it make a difference if you switch from "mail.domain.tld" to "domain.tld" as the mail server name in the email client configuration settings?

    Thank you.
     
  3. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    185
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    In /var/log/maillog I see these each time she tried to retrieve mail using the new cipher suite:
    Code:
    host dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<xxxxxxxxxxxxxxxxxxx>
    Those appear to have cleared up after I reverted to the cipher suite we were previously using.

    In /var/log/exim_mainlog, I'm seeing a lot of these:
    Code:
    44872 Warning: "|/usr/local/cpanel/bin/autorespond user@domain.tld /home/username/.autorespond","|/usr/local/cpanel/bin/autorespond user@domain.tld /home/username/.autorespond"
    but other than that, just her successful logins via the Webmail UI.

    I do see some entries like this, but I haven't been able to confirm that this is her IP:
    Code:
    SMTP connection from [xxx.xxx.xxx.xxx]:60000 (TCP/IP connection count = 3)
    2017-11-06 14:24:54 TLS error on connection from [xxx.xxx.xxx.xxx]:60000 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2017-11-06 14:24:54 TLS client disconnected cleanly (rejected our certificate?)
    I did have her try to set up Outlook's SMTP settings for port 465 and SSL/TLS, and port 587 with start TLS, both of which work fine using Thunderbird on Linux. Neither of those worked for her. I've checked with another client who is using Thunderbird on Win 7, and he hasn't had any issues, so I believe it is Outlook that's causing the issue.
     
  4. keithalmli

    keithalmli Member

    Joined:
    Mar 31, 2014
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Just adding, I'm having the same issues as well, and I've tested on Outlook 2016, 2007. Both will not connect. With exact same errors as you. I did attempt the Thunderbird with great success. (STARTTLS only) I will say however, for me other accounts on server work fine. I've found 2 so far out of several others that do not work on Microsoft Outlook. May be worth testing on your end to see if by chance its isolated to a couple of e-mail accounts. (Seems odd)
     
    linux4me2 likes this.
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,502
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    linux4me2 likes this.
  6. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    185
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I've only had one client report the issue so far, so it may not be all accounts. I don't know how many people are actually using Outlook.
     
    keithalmli likes this.
  7. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    185
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks for finding that. I sent the client the link to the patch, and I asked her to try installing it--if it's not already installed--and to make the registry change they suggest to activate it. I'm waiting to hear back from her.
     
  8. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    185
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    The client reports that she installed the patch, ran Easy Fix (to set the registry flag), then rebooted and tested sending in Outlook, but that it did not resolve the issue. I've asked her to try Thunderbird to see if it works, which might tell us if the problem is just Outlook, Windows 7, or something else specific to her machine.
     
  9. keithalmli

    keithalmli Member

    Joined:
    Mar 31, 2014
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I threw in the towel and tried an install of Windows 10 (Upgrade still free until December) It worked right away. In my opinion it appears it's a Windows 7 issue.
     
  10. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    185
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I haven't been able to find a solution yet, either, though I'm still waiting for the affected client to try Thunderbird to see if it solves the problem for her. I have other clients who are using Win 7 and Thunderbird successfully, so I'm really curious to see if it's something specific to her Win 7 install.

    Are you using the new cipher suite with Win 10 and Outlook 2016 without any problems, or did you have to revert to the old cipher suite?
     
  11. keithalmli

    keithalmli Member

    Joined:
    Mar 31, 2014
    Messages:
    11
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Sorry for delay, It was interesting. The Windows 10 machine worked fine from the start. A simple reboot on monday morning was enough to flush the systems DNS cache, and or make it work correct. With no changes.

    The Windows 7 machine never worked at all and wouldn't connect, although I could ping the system with no problems. My management company changed several settings, I'd like to think one of them was the cipher. After the changes they were able to get things rolling on their side without issue, (not sure if they had 10 or 7 as a test machine) but regardless I was unable to do anything on the Windows 7 until i did a flushdns AFTER their changes, then I was able to connect to server, but could not send mail receiving the same error.

    Eventually I threw in the towel and upgraded to Windows 10, then it the sending cleared up.

    I did try the fix provided by Microsoft, adding the values and such.. didn't seem to make a difference.
     
    linux4me2 likes this.
  12. brt

    brt Well-Known Member

    Joined:
    Jul 9, 2015
    Messages:
    77
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    MN
    cPanel Access Level:
    Root Administrator
    Just adding that I had a client with problems with Mail in El Capitan yesterday and I had to revert both options as well.
     
  13. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    121
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    So for Win 7 users with outlook is there any solution?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,502
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Try updating the "SSL/TLS Cipher Suite List" and "Options for OpenSSL" values under the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager » Basic Editor" to match the following to see if it allows sending to work for clients that don't support the updated requirements:

    For "SSL/TLS Cipher Suite List":

    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
    For "Options for OpenSSL":

    Code:
    +no_sslv2
    Thank you.
     
    #14 cPanelMichael, Nov 15, 2017
    Last edited: Jan 24, 2018
  15. jarland

    jarland Registered

    Joined:
    Nov 2, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hallsville, TX
    cPanel Access Level:
    Root Administrator
    Is this not re-enabling SSLv3? That doesn't seem like the ideal solution.

    I came to the forum today because of multiple customers reporting on my latest server that they are getting SSL errors on IMAP, and the logs always show SSLv3 attempts. This despite them using up to date software on up to date OS/devices, none of which should even support SSLv3. Strangely, it isn't impacting every user. I can use the same device/OS/app combinations and get through fine. No particular area or network, multiple devices and network tried by each customer that reports this. Only one server experiencing it. Makes zero sense :(
     
    #15 jarland, Nov 29, 2017
    Last edited: Nov 29, 2017
  16. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    121
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    What does this mean for our server security?
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,502
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    The workaround allows for the use of weaker ciphers, allowing for greater compatibility but reduced security. Ideally, you should leave the updated cipher settings enabled and reach out to the users reporting the errors to determine if they can upgrade their operating systems or email clients to versions that support the modern cipher requirements.

    Could you open a support ticket using the link in my signature so we can take a closer look at that?

    Thank you.
     
  18. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    121
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    1) So what's the worst that can happen on our servers with this reduced security?

    2) You are saying that ideally we should contact our users. What do you mean by that? Contact everyone who has an email account on our server? We have already done that. We have adapted nearly 100 users the last week. Or do you mean to contact anyone who is supposed to send a message to our customers? <- That is impossible...
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,502
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Here are a couple of links that explain the advantages of TLS 1.2:

    More about TLS and SSL - cPanel Knowledge Base - cPanel Documentation
    Is TLS 1.0 more secure than TLS 1.2?

    I was referring to your customers that use older email clients to send/receive email from an email account hosted on your cPanel server.

    Thank you.
     
  20. panit

    panit Member

    Joined:
    Aug 14, 2013
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    justjaph - Thank you very much. :) That fixed it for me too.

    The failure it caused didn't seem to have anything to do with the age of the email program being used. My program was just upgraded to the latest version a few months ago and one of my hosting members that this affected is using Windows Mail on Windows 10. Does anyone know what affect enabling the old ciphers will have? I assume cpanel removed them for a reason.
     
Loading...

Share This Page