Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TSR-2018-0001 prevents Apple Mail from sending

Discussion in 'E-mail Discussions' started by rpvw, Jan 23, 2018.

  1. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    582
    Likes Received:
    177
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The TSR-2018-0001 has changed something that has all my customers that use Apple Mail screaming that they can no longer send mail.

    I have spent several hours experimenting with various set-ups on an older Mac OS X 10.7.5 with the result that I can create and configure any IMAP or POP account and they work perfectly downloading and displaying the mailbox folders and messages.


    BUT any attempt to send just stalls, it does not matter what port is used and if SSL is enabled or not - it just wont send anything and, understandably, the customers are somewhat unhappy. The connection doctor software that the Mac supplies reports a successful SMTP connection, but the TLS never gets established and the mail is never sent.

    Similar tests using Thunderbird on the same old mac laptop seamlessly connected to the server, auto-configured everything and I was able to send and receive on any protocol.

    I do not particularly want to have to revert to the old SSL/TLS OpenSSL options, nor re-enable the old Cipher Suit, so any alternative ideas would be gratefully received.


    ****UPDATE****
    I am finally getting some connection information:

    So I tried setting the SSL/TLS OpenSSL options back to the pre TSR ones, and restored the old set of Cipher protocols - but even though Exim rebuilt and started OK, I still cant get Apple Mail to send anything and all I get in the logs are the messages above.
     
    #1 rpvw, Jan 23, 2018
    Last edited: Jan 23, 2018
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,468
    Likes Received:
    21
    Trophy Points:
    148
    cPanel Access Level:
    DataCenter Provider
    Sadly, Mac OSX 10.7 (Lion) has reached end of life and has not been receiving security updates or SSL/TLS cipher for some time. You may be stuck allowing weaker ciphers or older SSL protocols if you cannot upgrade the client system.

    If the below still doesn't solve the problem, you may need to remove "+no_sslv3" from "Options for OpenSSL" and "!SSLv3" from SSL Protocols to allow SSLv3.

    For Exim (SMTP):
    WHM »Service Configuration »Exim Configuration Manager
    • Options for OpenSSL
      Code:
      +no_sslv2 +no_sslv3
    • SSL/TLS Cipher Suite List
      Code:
      ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

    For Dovecot (IMAP/POP3)
    WHM »Service Configuration »Mailserver Configuration
    • SSL Cipher List
      Code:
      ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    • SSL Minimum Protocol (v70 and later)
      Code:
      TLSv1
    • SSL Protocols (v68 and earlier)
      Code:
      !SSLv2 !SSLv3
     
    #2 cPanelNick, Jan 23, 2018
    Last edited: Jan 23, 2018
    EneTar and Infopro like this.
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    582
    Likes Received:
    177
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Thank you kindly Nick, that got my old Mac OS X 10.7.5 test-bed working, and I shall now have to wait until morning to see if the various Mac user clients can send again.

    I don't know why I couldn't get the protocols and ciphers to work before. Your strings were identical to the ones I tried, but maybe I introduced some white-space or something.

    I shall update if the clients still cant connect in the morning o_O
     
  4. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    121
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    The "SSL/TLS Cipher Suite List" for EXIM is a little bit different than that in Outlook 2016 Sending Email Fails After Cipher Suite Update

    Do you mind describing the difference and which one should we use?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,509
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The cipher list referenced below (and earlier in this thread) is a copy of the default cipher list utilized for Exim in cPanel version 66.

    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
    We document more information about the cipher changes in cPanel version 68 at:

    How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation

    I've updated the cipher list referenced on the Outlook 2016 Sending Email Fails After Cipher Suite Update post to match the one referenced above, as generally most customers are seeking to revert the changes made in cPanel version 68 and restore the settings that worked in cPanel version 66.

    Thank you.
     
    EneTar likes this.
Loading...

Share This Page