CustomBuild: ssl_configuration=intermediate setting will now also drop TLS 1.1 and older for exim and dovecot

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,005
If you're running a box with OpenSSL 1.0.2 or higher, any rebuilds of the exim.conf or dovecot.conf will include options to disable TLS 1.1.
TLSv1.1 is EOL as of March 31, 2020. Windows 7 support ended on January 14, 2020.
This is with CustmoBuild 2, rev 2404 and up: "./build version"

If you still need TLSv1.1 in exim and dovecot, then you'd set:
Code:
./build set ssl_configuration old
./build update
./build rewrite_confs
./build exim_conf
./build dovecot_conf
However, we'd highly recommend using E-Mail clients that support TLS 1.2, such as Thunderbird.

If you need to keep your apcahe/nginx/litspeed/openlitespeed with the intermediate settings, but still need to drop your minimum requirements for email, you can override the configs too:
  • Exim: /etc/exim.variables.conf.custom add:
    Code:
    openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1
    and run a ./build exim_conf
  • Dovecot: /usr/local/directadmin/custombuild/custom/dovecot/conf/ssl.conf add
    Code:
    ssl_cert = </etc/exim.cert
    ssl_key = </etc/exim.key
    ssl_dh = </etc/dovecot/dh.pem
    
    ssl_min_protocol = TLSv1
    ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

But if you're flat-out using an end-of-life OS like CentOS 5, with openssl 0.9.8, then your going to want to use:
Code:
./build set ssl_configuration old
regardless. The above work-arounds are only for OSs like CentOS 6 which does support TLS 1.2, but your email client's do not.
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,243
Location
GMT +7.00
For exim:

Code:
grep X=TLS1 /var/log/exim/mainlog
Dovecot by default does not log TLS version. You might redefine it via login_log_format_elements
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,555
I think it is to soon to disable TLS 1.1 on mail on shared hosting servers. However we are using
ssl_email_configuration=intermediate because we want to have TLS 1.1 disabled on Apache/websites.

I think it would be much better if you could add a separate options.conf settings for mail, for example:
Code:
ssl_mail_configuration=old/intermediate/modern
That way, we could have TLS 1.1 disabled for websites with ssl_configuration=intermediate and enabled for mail with ssl_mail_configuration=old - until we think enough time has passed to safely disable TLS 1.1 on mail also.

I did read above that we can use custom configs for exim and dovecot, but I would be much more happy with a options.conf setting for mail.
 
Last edited:

Vinayak

New member
Joined
Jul 12, 2019
Messages
2
SMTP still has problem when using custom config for exim and dovecot. Older email clients like Outlook 2007 can receive but can't send emails due to encryption type not supported issue.
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
713
Location
Netherlands Germany
SMTP still has problem when using custom config for exim and dovecot. Older email clients like Outlook 2007 can receive but can't send emails due to encryption type not supported issue.
Look at the port for sending, try to change port ( 587 , 465 and 25...) and some settings for those then for testing on that outlook clients , write down results . messages / log files DA server.

Maybe with those results someone here could help you.

But OK you can have the clients with some Microsoft support , give support for newer .... ones , the better solution! ;)
 
Last edited:

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,555
@DirectAdmin Support and @smtalk, I really do not understand why you have made this change so soon, and why you are not willing to provide a separate option for mail chipers in options.conf? Many users want this, just count the 6 likes in my previous comment and 7 with the reply from @Imtek

Just now I was reading a new thread from a user wich now have problems with both customers apple mail and outlook: https://forum.directadmin.com/threads/tls-error-after-update-exim-to-4-93-0-4-from-0-3.60538/

Also here is a user reporting problems for his customers with Outlook 2007: https://forum.directadmin.com/threads/windows-7-outlook-2007-exim-cipher-suite.60461/

You can't expect us to tell customers on shared hosting that our mail servers do not support Outlook on Windows 7? Windows 7 has a market share of 32.37%: https://bit.ly/2wvN9j7

Can you please reconsider adding a separate option for tls for exim and dovecot in options.conf, that would allow us to keep using ssl_configuration=intermediate for Apache without impacting exim and dovecot wich still need chipers that support tls 1.1?

I would just like to not have to use custom configs for exim and dovecot, but currently I am forced to do just that. Not the end of the world, but I would like to avoid it.
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,243
Location
GMT +7.00
a possible workaround for Exim:

Code:
touch /etc/exim.variables.conf.custom
echo "openssl_options = +no_sslv2 +no_sslv3" >> /etc/exim.variables.conf.custom
cd /usr/local/directadmin/custombuild/
./build update
./build exim_conf
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
713
Location
Netherlands Germany
@all
Please do your Customers if possible a favour to advise them howto make windows 7 and older outlook using more secure TLS 1.2, this should be done long before today is already possible since i think 2016 or so.

So lot of those Customers have a kind of lacking doing updates for security it seems , those are then also more dangerous for your services as DA admin / Hoster! ( and yup i only had problems with virus / hacked computers and then mail abusing/spamming with Those ... )

Some links:
.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,505
Location
Maastricht
Oh, didn't even know they had a new feature request part. Pity one has to register for that seperately.
But it makes it a bit more clear maybe.
 

jeffer

Verified User
Joined
Jul 23, 2017
Messages
9
I have to agree this is too soon. Clients are reporting problems which cost us alott of time.
It would be better to still support this but set in options.conf if youwhat versions to support.
Ofcourse in a couple of months we should all disable TLS 1.0 and 1.1 but for now this change that is forced on users is just not very client friendly.

For now this change has cost us alott of time and effort which could have been spend on alott of other things. Please keep this in mind with changes like this. Allover the world companies have to invest time on this...I did not find this post through Google but a support ticket...so it's costing Directadmin unneeded time aswell.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,887
Location
LT, EU
I have to agree this is too soon. Clients are reporting problems which cost us alott of time.
It would be better to still support this but set in options.conf if youwhat versions to support.
Ofcourse in a couple of months we should all disable TLS 1.0 and 1.1 but for now this change that is forced on users is just not very client friendly.

For now this change has cost us alott of time and effort which could have been spend on alott of other things. Please keep this in mind with changes like this. Allover the world companies have to invest time on this...I did not find this post through Google but a support ticket...so it's costing Directadmin unneeded time aswell.
Hm.. Didn't major companies drop TLSv1.1?

Starting with the release of Chrome 81 users won’t be able to connect with sites that have not upgraded to TLS 1.2.
Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020.
In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1.
If we had TLSv1.1 enabled, the customers might complain on grade B in https://www.ssllabs.com/ssltest/ and other tests.
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,082
Location
Bulgaria
The biggest problem are users with Windows 7 who use Microsoft Outlook (usually 2013 or earlier). They use TLS 1.0 only by default. They can support TLS 1.2 with a patch but you have to teach them and patch every workstation usually one by one. For me it's not worth it.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,505
Location
Maastricht
who use Microsoft Outlook (usually 2013 or earlier).
Earlier I think. I'm using Outlook 2013 and have no issues with TLS 1.2 so probably this is updated by Windows Update or something. Outlook 2010 is supported until later this year.

Don't forget that Windows 7 is already EOL, you won't support XP either. Oke Windows 7 and 8 are newer, but Microsoft announced that they will start fasing out TLS 1.0 and 1.1 as from june 2020.
All big company's are fasing out, so maybe it's better to create an information page on your site for your customers.
And point to one of the support pages of Microsoft.

So if you don't tell/teach them, they will get in to trouble anyway this year.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,555
I will have to withdraw my previous feature request in replies above, because a few weeks ago we recompiled both exim and dovecot confs on our shared hosting servers, and we did not get many complaints. We are using the intermediate setting. So it seems this was not a big problem after all, at least not for us. So now I would not benefit for any new settings, and are very happy with the current setup. 🤪 Currently we are more concerned about other stuff, like the Corona virus for example. 😷
 

wattie

Verified User
Joined
May 31, 2008
Messages
1,082
Location
Bulgaria
Don't forget that Windows 7 is already EOL, you won't support XP either.
Literally I do not care as far as my customers want it and they continue to use it. They pay. If I do not support whatever they want - including junk, - I'll lose money.
 
Top