Email sending is main feature of any hosting account that must have feature whether on linux or on windows OS. Most of the users use desktop clients to send or receive their emails, and yes that is the easiest way to communicate with your clients. Okay, lets come to the main topic, if you’re web hosting provider and using cPanel/WHM hosting panel to provide web hosting accounts to your customers then you should read this article. It will save your 24 to 48 hours for sure.
Recently cPanel/WHM has released its latest version that is 68, they made some major updates one of them i have found is updates to SSL and TLS authentications. They introduced new mechanisms and algorithms for the authentication system used for SMTP server (dovecot, exim). What it does? it just disables old authentication system that breaks the SMTP authentication functionality with old email clients such as Outlook 2007 & Outlook 2010. So at the end your clients will not be able to connect to your outgoing email server (SMTP) if they’re using Outlook 2007 & 2010 versions.
First of all i checked mail logs for exim:
/var/log/exim_mainlog
And i found following error returned :
(SSL_accept): error:00000000:lib(0):func(0):reason(0)<br/ > TLS client disconnected cleanly (rejected our certificate?)
So i got to know that Outlook is not able to connect to SMTP server and is exiting with above TLS error, that clearly tells connection is rejected due to invalid certificate, and you will also get SSL/TLS error on Outlook telling you the authentication method is not supported.
I tried to fix this issue but could not get the proper resolution, then i contacted to cPanel/WHM support center and they provided me quick fix, i will not write all the discussion but only the resolution to the problem:
If you must enable TLS 1.0 on the WHM/cPanel server for compatibility, then in :
WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings:
Ensure that “Allow weak SSL/TLS ciphers” is “Off”
Change “Options for OpenSSL” to:
+no_sslv2 +no_sslv3
and Change “SSL/TLS Cipher Suite List” to (this is one long line):
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Then “Save” at the bottom of the page.
This will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0.
Now, for Dovecot in :
WHM >> Home >> Service Configuration >> Mailserver Configuration:
Change “SSL Cipher List” to (this is one long line):
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Change “SSL Protocols” to:
!SSLv2 !SSLv3
Once that is enabled, Windows should be able to connect to the server again.
That is all! feedback are welcome!