As Windows 7 hasn't been supported by Microsoft since January 2020, it would be best for the client to update or they could end up experiencing other security issues down the road.
Here are the details we have been providing clients that are experiencing this issue:
1 - (RECOMMENDED)
The most straightforward way to resolve this issue is to either upgrade to a supported operating system, or utilize a mail client that uses modern security protocols.
Windows 8.1 and newer, as well as MacOS 11.12 "Sierra" and newer fully support the newer ciphers and protocols which will allow fully secure connections. In the case of Apple, they are providing free operating system updates and there would be no cost to your end users. This is the preferred option as it increases the security of your user's systems while keeping your system secure at the server level.
Other email clients such as the free and open-source Thunderbird client by the Mozilla foundation offer full support of modern TLS protocols, even on older machines running Windows 7 or OS X 10.11.
Installing this and using it to connect to your email server rather than Outlook should allow your clients to receive mail locally on their computers without having to use insecure methods. You can read more about and download Thunderbird from their website here:
https://www.mozilla.org/en-US/thunderbird/
2 - (NOT RECOMMENDED)
To enable TLS 1.2 for Windows 7, you will need to patch your system to modify the registry. Be sure your system is fully updated through the update center, then download and install the patch from Microsoft's website here:
https://docs.microsoft.com/en-us/ar...bling-tls-1-1-and-1-2-in-outlook-on-windows-7
After the patch is installed, be sure to reboot your local computer to ensure the patch was applied. Once your system is back online, please try to connect to the cPanel server again.
Please note that this option is NOT available for Apple OSX computers.
3 - (NOT RECOMMENDED)
If you must enable TLS 1.0 on the WHM/cPanel server for compatibility, do the following in WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings:
- Ensure that "Allow weak SSL/TLS ciphers" is "Off".
- Change "SSL/TLS Cipher Suite List" to (this is one long line):
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- Change "Options for OpenSSL" to the following:
+no_sslv2 +no_sslv3
- Click "Save" at the bottom of the page.
These changes will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0.
To make these changes for Dovecot, go to WHM >> Home >> Service Configuration >> Mailserver Configuration, and do the following:
- Change "SSL Cipher List" to this (in one long line) :
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- Change "SSL Minimum Protocol" to this:
TLS1
Once you have made these changes to the server, or you have fully patched your Windows system, Windows should be able to connect to the server again.
