postfix, TLS and broken MS Outlook after Windows October 2022 update

[VladiBG]

After the last Windows October 2022 update which disable TLS1.0 and TLS1.1 in Windows it also break the Outlook TLS handshake to postfix

postfix/smtpd[XXXXX]: SSL_accept error from unknown[XXX.XXX.XXX.XXX]: lost connection

Or with verbose loging

postfix/submission/smtpd[XXX]: unknown[XXX.XXX.XXX.XXX]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:mad:STRENGTH"
postfix/submission/smtpd[XXX]: SSL_accept:before SSL initialization
syslogd: last message repeated 1 times
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS read client hello
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS write server hello
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS write certificate
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS write key exchange
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS write server done
postfix/submission/smtpd[XXX]: SSL_accept:error in SSLv3/TLS write server done
postfix/submission/smtpd[XXX]: SSL_accept error from unknown[XXX.XXX.XXX]: lost connection

The problem is that the Outlook doesn't accept TLS session ticket and hang up the connection. The temporary fix is to not issue the session ticket by adding " -o tls_ssl_options=NO_TICKET" in master.cf file in postfix

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
...

submission inet n       -       n       -       -       smtpd
 ...
 -o tls_ssl_options=NO_TICKET
....
smtps     inet  n       -       n       -       -       smtpd
....
  -o tls_ssl_options=NO_TICKET
...

The original discussion from postfix-users

'Re: Outlook TLS errors after Microsoft Windows Update' - MARC

broken after KB5018410

fixed with update:

KB5018496
KB5020435
KB5020436
KB5020438
KB5020447
KB5020449

 

[morikawa]

I have two(2) installations of postfix on AWS Linux2. Both have the same configuration.
One has this problem, while the other not. One without this problem is running
on 4.14.262-200.489.amzn2.x86_64 while the other with this problem
on 4.14.294-220.533.amzn2.x86_64

Adding tls_ssl_options=NO_TICKET in master.cf does not rectify this issue.
Any idea on how to solve this issue?

 

[VladiBG]

The issue is in Microsoft Windows this is only workaround until Microsoft fix they side.
After changing the master.cf don't forget to restart the postfix. Also check if you have "smtpd_tls_session_cache_database" set up and disable it as default it's empty. This will slow down the new tls connection to the server but it's the only option for now.

Postfix Configuration Parameters

Here's the same information about this problem from plesk:

https://support.plesk.com/hc/en-us/articles/8074200003346-Outlook-cannot-connect-via-TLS-to-a-Plesk-server-after-Windows-update-KB5018410-