Problem connecting to DA server exim and dovecot) with iPhone using SSL

[harro]

Hi all,

I did a yum and custombuild update last week and ever since it is no longer possible to connect to any of our servers using the iPhone/iOS mail app with SSL on. The message is (for example): "The IMAP server mail.truskmore.nl is not responding".

There is no problem connecting with Android or linux/windows email applications.

There is a Letsencrypt SSL certificate that is valid. I have tested with MX toolbox and SSLlabs SSLtest, which both give green/ok. Only with SSL Labs it does give errors when it emulates older Safari browsers:

Safari 6 / iOS 6.0.1	Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1	Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9	Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4	Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10	Server sent fatal alert: handshake_failure

However, the problems (also) happen with recent Apple devices (e.g. iPhone12), so I would expect this to have newer software.


On some iPhones, the connection works again with SSL off, but that is not desirable. I have reinstalled on two servers all software (./build all) to ensure all the latest libraries, etc. are linked, but no improvement.

Any suggestions as to what the cause and the solution may be?


Thank you and kind regards, Harro

 

[Active8]

	Connection converted to SSL
		SSLVersion in use: TLSv1_3
		Cipher in use: TLS_AES_256_GCM_SHA384
		Perfect Forward Secrecy: yes

TLSv 1.3 is in use , try to set up your 1.2

 

[harro]

Hi Active8, thank you for your feedback. I checked the dovecot and exim configs and they were set to minimum version = tls_v1.2 (so in theory it should already be possible to connect with TLS v1.2).

I modified the exim and dovecot configs to allow tls v1 and tls v1.1 as well, but still the iphone cannot reach the server (no connection). The IPs of the pones are not blacklisted, since the connection starts to work again when SSL is disabled.

Is there anywhere in the logs that I would be able to see what communication takes place between the iphone and the server, when the iphone tries to connect?

Thank you all for your thought and suggestions!

 

[Active8]

Please check in Custum Build your ssl_configuration , is this set to intermediate ?

EDIT
I have just check on of our server with Centos 8 and 7 installed
With Centos 7 installed i get this:

		SSLVersion in use: TLSv1_2
		Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
		Perfect Forward Secrecy: yes

But with Centos 8 I get this

	Connection converted to SSL
		SSLVersion in use: TLSv1_3
		Cipher in use: TLS_AES_256_GCM_SHA384
		Perfect Forward Secrecy: yes

Both are setup the same way but its weired that Centos 8 have an different TLS / Cipher version in use by default

 

[harro]

It was originally set to intermediate, but I have changed it to ssl_configuration=old in order to enable all the old tls v1 and v1.1

 

[Active8]

Ok did you also red my EDIT part after that ?