TSR-2018-0001 prevents Apple Mail from sending

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
The TSR-2018-0001 has changed something that has all my customers that use Apple Mail screaming that they can no longer send mail.

I have spent several hours experimenting with various set-ups on an older Mac OS X 10.7.5 with the result that I can create and configure any IMAP or POP account and they work perfectly downloading and displaying the mailbox folders and messages.


BUT any attempt to send just stalls, it does not matter what port is used and if SSL is enabled or not - it just wont send anything and, understandably, the customers are somewhat unhappy. The connection doctor software that the Mac supplies reports a successful SMTP connection, but the TLS never gets established and the mail is never sent.

Similar tests using Thunderbird on the same old mac laptop seamlessly connected to the server, auto-configured everything and I was able to send and receive on any protocol.

I do not particularly want to have to revert to the old SSL/TLS OpenSSL options, nor re-enable the old Cipher Suit, so any alternative ideas would be gratefully received.


****UPDATE****
I am finally getting some connection information:

2018-01-23 20:29:53 SMTP connection from [xx.xx.xx.xx]:51391 (TCP/IP connection count = 3)
2018-01-23 20:29:53 TLS error on connection from ([192.168.1.104]) [xx.xx.xx.xx]:51391 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-01-23 20:29:53 TLS client disconnected cleanly (rejected our certificate?)
So I tried setting the SSL/TLS OpenSSL options back to the pre TSR ones, and restored the old set of Cipher protocols - but even though Exim rebuilt and started OK, I still cant get Apple Mail to send anything and all I get in the logs are the messages above.
 
Last edited:

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,488
35
158
cPanel Access Level
DataCenter Provider
Sadly, Mac OSX 10.7 (Lion) has reached end of life and has not been receiving security updates or SSL/TLS cipher for some time. You may be stuck allowing weaker ciphers or older SSL protocols if you cannot upgrade the client system.

If the below still doesn't solve the problem, you may need to remove "+no_sslv3" from "Options for OpenSSL" and "!SSLv3" from SSL Protocols to allow SSLv3.

For Exim (SMTP):
WHM »Service Configuration »Exim Configuration Manager
  • Options for OpenSSL
    Code:
    +no_sslv2 +no_sslv3
  • SSL/TLS Cipher Suite List
    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

For Dovecot (IMAP/POP3)
WHM »Service Configuration »Mailserver Configuration
  • SSL Cipher List
    Code:
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  • SSL Minimum Protocol (v70 and later)
    Code:
    TLSv1
  • SSL Protocols (v68 and earlier)
    Code:
    !SSLv2 !SSLv3
 
Last edited:
  • Like
Reactions: EneTar and Infopro

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
Thank you kindly Nick, that got my old Mac OS X 10.7.5 test-bed working, and I shall now have to wait until morning to see if the various Mac user clients can send again.

I don't know why I couldn't get the protocols and ciphers to work before. Your strings were identical to the ones I tried, but maybe I introduced some white-space or something.

I shall update if the clients still cant connect in the morning o_O
 

EneTar

Well-Known Member
Dec 19, 2015
156
12
18
Greece
cPanel Access Level
Root Administrator
Sadly, Mac OSX 10.7 (Lion) has reached end of life and has not been receiving security updates or SSL/TLS cipher for some time. You may be stuck allowing weaker ciphers or older SSL protocols if you cannot upgrade the client system.

If the below still doesn't solve the problem, you may need to remove "+no_sslv3" from "Options for OpenSSL" and "!SSLv3" from SSL Protocols to allow SSLv3.

For Exim (SMTP):
WHM »Service Configuration »Exim Configuration Manager
  • Options for OpenSSL
    Code:
    +no_sslv2 +no_sslv3
  • SSL/TLS Cipher Suite List
    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

For Dovecot (IMAP/POP3)
WHM »Service Configuration »Mailserver Configuration
  • SSL Cipher List
    Code:
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  • SSL Minimum Protocol (v70 and later)
    Code:
    TLSv1
  • SSL Protocols (v68 and earlier)
    Code:
    !SSLv2 !SSLv3
The "SSL/TLS Cipher Suite List" for EXIM is a little bit different than that in Outlook 2016 Sending Email Fails After Cipher Suite Update

Do you mind describing the difference and which one should we use?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
The "SSL/TLS Cipher Suite List" for EXIM is a little bit different than that in Outlook 2016 Sending Email Fails After Cipher Suite Update

Do you mind describing the difference and which one should we use?
Hello,

The cipher list referenced below (and earlier in this thread) is a copy of the default cipher list utilized for Exim in cPanel version 66.

Code:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
We document more information about the cipher changes in cPanel version 68 at:

How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation

I've updated the cipher list referenced on the Outlook 2016 Sending Email Fails After Cipher Suite Update post to match the one referenced above, as generally most customers are seeking to revert the changes made in cPanel version 68 and restore the settings that worked in cPanel version 66.

Thank you.
 
  • Like
Reactions: EneTar