SOLVED [CPANEL-28089] Dovecot TLS configuration reset upon update

[daflame]

Since this morning, I can't RECEIVE emails with Outlook 2010 (POP3 and IMAP accounts). No problem to SEND emails. I get the error 800CCC1A for POP3 accounts using port 995 and SSL connexion. I also get the error 800CCC0E for IMAP accounts using port 993 and SSL connexion.

Otherwise, I am able to receive and send emails with Gmail App on my phone with IMAP accounts using port 993 and TLS/SSL connexion.

My cPanel version is v80.0.18. The SSL certificate seem to be fine. I see some updates in folder /etc/dovecot/ from today but not sure if it's related. Not sure either if I have to update cipher settings.

Someone can help me please? Thanks in advance!

 

[glucz]

Same here. Some outlook versions cannot download mail. I now even have problems with the mail client on a mac. Some ciphers seem to have been removed. The problem goes away when SSL is turned off... although I would prefer weak encryption to no encryption anytime.

 

[sneader]

We are seeing quite a few tickets about this very same problem, which started after last night's upcp. More to come, I am sure.

- Scott

 

[oplink]

Same here

Logs show
Jun 23 18:31:09 cpanel1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=xxxx, lip=xxxx, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<dpkgFwaMrNRJc6J4>

Any details on why?

 

[uk01]

I've had several issues with a Mac tonight and spent 3 hours unpaid support time.

Various issues-
Unable to verify password (internet accounts)
Port 993 timed out

These are known Mac issues so I never thought it would be caused by Cpanel. However, I remembered that we had to adjust some cipher details due to older Macs which couldn't send.

Therefore I checked the mailserver settings in WHM and notice "SSL Minimum Protocol" is set to v1.3
This must have been enforced with Cpanel v80 on Friday/Saturday night but I can't find it anywhere in the change log?

Once I changed this back to TLSv1 Mac Mail works again. Now I know we are "supposed" to enforce v1.2 but we can't go falling out with all customers (which are also clients in our case) who have older Macs!

I just wish if Cpanel are enforcing it for PCI compliance they would have made us aware (unless I missed it?) as it has incurred me in 3 hours of time when we are very busy, I now get to bed at 4am!

 

[Mr.Juno]

Same here, so far no problem with Outlook 2016. Only Outlook 2010.

- Removed -

 

[sneader]

I found that the update changed a Dovecot security setting on our servers. In WHM, under Service Configuration > Mailserver Configuration > SSL Minimum Protocol, cPanel managed to change this setting to the highest security setting, "TLS v1.2" on most of our servers, with a few of them changed to "TLS v1". This breaks email service for many customers that use slightly older email clients and/or operating systems.

We've fixed this, for now, by changing the SSL Minimum Protocol back to "SSL v3" and this has solved the problem for our customers.

- Scott

 

[rwliam]

Also seeing reports of this since around 3am this morning. Sounds like it has only affected POP accounts so far ...

 

[orlandobond]

Most probably will work with TLSv1 as well.

To find if you have issue like this you can try to use:

grep "TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown" /var/log/maillog

 

[leonep]

same problem for me. any news?

 

[4u123]

I can confirm that we are also experiencing a ton of support requests in the last 48 hours - all related to Email and SSL/TLS and most of them Mac clients - some Android.

I don't see anything in the 80 changelog about any changes. Would like a response from cpanel about what's happened here.

We would like to have given some notice to our customers!

 

[the_island]

Same here.
Changed minimum SSL version to v3 and clients can download email again.

Not sure if this pauses a security threat, but companies had to receive their emails ...

 

[gvard]

Hello,

same problem for me. any news?

@sneader provided the resolution to this issue, have you tried it?

 

[leonep]

yes the solution from member @sneader works for me
i want to know from official cpanel if is the best
for me the best is to burn old client and use only webmail 8) but customers don't like this !
thanks

 

[wintech2003]

We're seeing the same here with old Outlook clients (2010) and Mail.app on older Mac OS X versions.

 

[gvard]

Hello,

For some reason Dovecot reset the TLS configuration after the latest update. cPanel has opened an internal case number for this, which is CPANEL-28089. If you made changes to this value before, you'll need to roll them back to what they were before.

Version 68 of cPanel introduced new SSL ciphers to increase the security of the mail server; this enables TLS 1.2 and disables older SSL protocols such as TLS 1.0.

You can read more on this through the blog post here, TLS Changes in Version 68. TLS Changes in Version 68 | cPanel Blog

While cPanel makes every effort to ensure our product is as secure as possible, this does mean older operating systems and mail clients will be affected.

Due to Windows 7 being an older system, versions of Outlook (2007 & 2010) on Windows 7 can only offer TLS 1.0 and below. Microsoft did release a patch to resolve this and enable the newer protocols, TLS 1.1 and TLS 1.2. You can read more information on Microsoft's blog here: Enabling TLS 1.1 and 1.2 in Outlook on Windows 7

Please keep in mind this is not a defect or an issue with cPanel, but an incompatibility with outdated client software. Updating the client software to support TLS 1.2 will help maintain overall security.

There are two options to help resolve the issues you are currently facing. Please note, Option 1 is the recommended solution.

[Option 1]: (RECOMMENDED) To enable TLS 1.2 for Windows 7, you will need to patch your system to modify the registry. Be sure your system is fully updated through the update center, and then download and install the patch from Microsoft's website here: https://support.microsoft.com/en-us...-and-tls-1-2-as-a-default-secure-protocols-in

After that is installed, be sure to reboot your local computer as well to ensure the patch was applied. Once you're back online, please try to connect to the cPanel server again.

[Option 2]: (NOT RECOMMENDED) If you must enable TLS 1.0 on the WHM/cPanel server for compatibility, then in WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings:

Ensure that "Allow weak SSL/TLS ciphers" is "Off".

Change "SSL/TLS Cipher Suite List" to (this is one long line):
====
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
====

And change "Options for OpenSSL" to:
====
+no_sslv2 +no_sslv3
====

Then "Save" at the bottom of the page.

This will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0.

For Dovecot in WHM >> Home >> Service Configuration >> Mailserver Configuration:

Change "SSL Cipher List" to (this is one long line):
====
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
====

Change "SSL Minimum Protocol" to:
====
TLS1
====

Once that is enabled, or you have fully patched your Windows install, Windows should be able to connect to the server again.

 

[MattGarner]

I have noticed even if the TLS 1.2 update is installed on Windows 7 - Mail clients still refuse to connect to it. Anyone else seen similar?

 

[cPanelMichael]

[Note: This post was updated on 06-26-2019 with updated information]

Hello Everyone,

Internal case CPANEL-28089 was opened to investigate reports of Dovecot configuration settings automatically reverting to the default values. This resulted in email client connectivity errors if the Dovecot settings were previously modified to allow for TLS compatibility with legacy email clients.

cPanel & WHM version 80.0.20 was published to the CURRENT release tier with a fix to ensure the Dovecot mail server configuration settings are preserved upon future updates:

Fixed case CPANEL-28089: Correctly generate ssl_min_protocol based on the value of ssl_protocols, when applicable.

The full change log is available on the link below:

80 Change Log - Change Logs - cPanel Documentation

Note this fix does not automatically restore the configuration values that were reset during prior updates. On affected servers, administrators must browse to WHM >> Mailserver Configuration and adjust the settings to their preferred values.

If you are unsure which configuration changes to make for compatibility with legacy email clients, click here to see a discussion of specific configuration changes known to help.

Additionally, you can use the following WHM API 1 function if you need to make changes to the Dovecot configuration settings via the command line:

WHM API 1 Functions - set_service_config_key - Developer Documentation - cPanel Documentation

For example, the following command will set the Dovecot "SSL Minimum Protocol" value to TLSv1.2:

whmapi1 set_service_config_key api.version=1 service=dovecot key=ssl_min_protocol value=TLSv1.2

If "Back up System Files" is selected in WHM >> Backup Configuration and you have a backup available from before the issue started, then you can view an older copy of the Dovecot main file to determine which SSL protocol settings were reset.

For example, here are the commands to use for compressed backups if you have system backup files from 06-20-2019:

cd /backup/2019-06-20/system/dirs/
tar xvzf /backup/2019-06-20/system/dirs/_var_cpanel.tar.gz
grep ssl_ /backup/2019-06-20/system/dirs/var/cpanel/conf/dovecot/main

Here are the commands to use for incremental backups if you have system backup files from 06-20-2019:

grep ssl_ /backup/2019-06-20/system/dirs/_var_cpanel/conf/dovecot/main

You can then browse to WHM >> Mailserver Configuration and adjust the current settings to match the previous values.

Thank you.

 

[wintech2003]

Additionally, can anyone confirm if this issue occurred on a system that is not using CloudLunux?

Yes, we've seen this reset of configuration settings happening on a non-Cloudlinux server as well. Can provide IP via PM or otherwise if needed.

 

[cPanelMichael]

Yes, we've seen this reset of configuration settings happening on a non-Cloudlinux server as well. Can provide IP via PM or otherwise if needed.

Thanks, I've confirmed additional affected systems include both CentOS and CloudLinux. I've removed the question from my previous response and will update this thread with more information shortly.

Thanks!