Dovecot SSL error

[lucas1]

Good day.

When trying to connect Microsoft Outlook 2003 to Dovecot by protocol IMAP(ssl) an error occurs: in dovecot.log

imap-login: Debug: SSL error: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

With MS Outlook 2010/2016 all good.

dovecot --version
2.3.13

What do you advise?

 

[SirDice]

What do you advise?

Stop using Outlook 2003, it's been end-of-life since 2014.

Microsoft Ending Support for Windows XP and Office 2003 | CISA

us-cert.cisa.gov

 

[msplsh]

"no shared cipher" means Dovecot does not support any of the ciphers that Outlook 2003 does. This is most likely because, as noted above, Outlook 2003 is ridiculously out of date and all its supported ciphers are too weak to provide effective encryption and Dovecot has dropped offering them.

There are options, but since you asked for advice, I would recommend for the health and security of the internet, please use newer versions of Outlook that you have already confirmed that work.

 

[lucas1]

No, I need to solve this problem exactly in this form.
Otherwise why would I ask.

 

[diizzy]

Use stunnel to make your outdated clients connect to dovecot via stunnel.

 

[msplsh]

Why would you ask? You need third-party verification that you should tell whoever told you to support Outlook 2003 to go fly a kite. That's a reason I can think of to ask.

Downgrading Dovecot's SSL cipher support will endanger ALL CLIENTS and your organization, not just Outlook 2003. Furthermore, supporting using Outlook 2003 and whatever outdated version of Windows XP or 7 encourages the use of unsupported and vulnerable software that could be used as DDoS weaponry.

You'll have to downgrade Dovecot's SSL cipher list to support Outlook 2003. This is a bad thing to do. You can read and understand the documentation in order to do this. If you don't know how, I won't tell you how to do it because it encourages the creation of an internet community danger.

If the clients are firewalled, the stunnel idea will work and be relatively safe, but it's unlikely that Outlook 2003 is the only software these clients are using to connect to the internet. You'll have to know how to configure that too.

 

[Jose]

No, I need to solve this problem exactly in this form.
Otherwise why would I ask.

We're under no obligation to help you spew garbage all over the Internet.

 

[diizzy]

Why would you ask? You need third-party verification that you should tell whoever told you to support Outlook 2003 to go fly a kite. That's a reason I can think of to ask.

Downgrading Dovecot's SSL cipher support will endanger ALL CLIENTS and your organization, not just Outlook 2003. Furthermore, supporting using Outlook 2003 and whatever outdated version of Windows XP or 7 encourages the use of unsupported and vulnerable software that could be used as DDoS weaponry.

You'll have to downgrade Dovecot's SSL cipher list to support Outlook 2003. This is a bad thing to do. You can read and understand the documentation in order to do this. If you don't know how, I won't tell you how to do it because it encourages the creation of an internet community danger.

If the clients are firewalled, the stunnel idea will work and be relatively safe, but it's unlikely that Outlook 2003 is the only software these clients are using to connect to the internet. You'll have to know how to configure that too.

I use that solution for MFPs as firmware updates aren't available except for technicians but only for SMTP.