Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

TSR-2018-0001 prevents Apple Mail from sending

Discussion in 'E-mail Discussion' started by rpvw, Jan 23, 2018.

  1. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    779
    Likes Received:
    274
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The TSR-2018-0001 has changed something that has all my customers that use Apple Mail screaming that they can no longer send mail.

    I have spent several hours experimenting with various set-ups on an older Mac OS X 10.7.5 with the result that I can create and configure any IMAP or POP account and they work perfectly downloading and displaying the mailbox folders and messages.


    BUT any attempt to send just stalls, it does not matter what port is used and if SSL is enabled or not - it just wont send anything and, understandably, the customers are somewhat unhappy. The connection doctor software that the Mac supplies reports a successful SMTP connection, but the TLS never gets established and the mail is never sent.

    Similar tests using Thunderbird on the same old mac laptop seamlessly connected to the server, auto-configured everything and I was able to send and receive on any protocol.

    I do not particularly want to have to revert to the old SSL/TLS OpenSSL options, nor re-enable the old Cipher Suit, so any alternative ideas would be gratefully received.


    ****UPDATE****
    I am finally getting some connection information:

    So I tried setting the SSL/TLS OpenSSL options back to the pre TSR ones, and restored the old set of Cipher protocols - but even though Exim rebuilt and started OK, I still cant get Apple Mail to send anything and all I get in the logs are the messages above.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 rpvw, Jan 23, 2018
    Last edited: Jan 23, 2018
  2. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,480
    Likes Received:
    30
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    Sadly, Mac OSX 10.7 (Lion) has reached end of life and has not been receiving security updates or SSL/TLS cipher for some time. You may be stuck allowing weaker ciphers or older SSL protocols if you cannot upgrade the client system.

    If the below still doesn't solve the problem, you may need to remove "+no_sslv3" from "Options for OpenSSL" and "!SSLv3" from SSL Protocols to allow SSLv3.

    For Exim (SMTP):
    WHM »Service Configuration »Exim Configuration Manager
    • Options for OpenSSL
      Code:
      +no_sslv2 +no_sslv3
    • SSL/TLS Cipher Suite List
      Code:
      ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

    For Dovecot (IMAP/POP3)
    WHM »Service Configuration »Mailserver Configuration
    • SSL Cipher List
      Code:
      ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    • SSL Minimum Protocol (v70 and later)
      Code:
      TLSv1
    • SSL Protocols (v68 and earlier)
      Code:
      !SSLv2 !SSLv3
     
    #2 cPanelNick, Jan 23, 2018
    Last edited: Jan 23, 2018
    EneTar and Infopro like this.
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    779
    Likes Received:
    274
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Thank you kindly Nick, that got my old Mac OS X 10.7.5 test-bed working, and I shall now have to wait until morning to see if the various Mac user clients can send again.

    I don't know why I couldn't get the protocols and ciphers to work before. Your strings were identical to the ones I tried, but maybe I introduced some white-space or something.

    I shall update if the clients still cant connect in the morning o_O
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    The "SSL/TLS Cipher Suite List" for EXIM is a little bit different than that in Outlook 2016 Sending Email Fails After Cipher Suite Update

    Do you mind describing the difference and which one should we use?
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The cipher list referenced below (and earlier in this thread) is a copy of the default cipher list utilized for Exim in cPanel version 66.

    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
    We document more information about the cipher changes in cPanel version 68 at:

    How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation

    I've updated the cipher list referenced on the Outlook 2016 Sending Email Fails After Cipher Suite Update post to match the one referenced above, as generally most customers are seeking to revert the changes made in cPanel version 68 and restore the settings that worked in cPanel version 66.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    EneTar likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice