• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Any tips related to email software and servers with TLS1.0 disabled?

H

HostaHost

Regular Pleskian
I'm curious if anyone has encountered a website with a list of common email programs and underlying operating systems, and either a definitive NO on getting each combo to talk TLS 1.1/1.2, or the relevant settings to accomplish this?

The issue is that we've tried disabling TLS 1.0 to satisfy PCI scanning vendors, via:
  • /usr/local/psa/admin/bin/pci_compliance_resolver --enable all
  • /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.1"
but our support reps are experiencing a much higher than expected call volume from customers who cannot receive, and possibly send, email. FYI, I do know that the PCI council relented on the June 2016 elimination of TLS 1.0 and have added two years to its sunset date, but we'd like it gone asap anyway, and, as a side note, most PCI scanning companies have either chosen to stick with the original date, require a plan of removal we'd like our customers to avoid dealing with, or are simply wrong and won't accept an appeal.

Back to the issue; examples:
  • Thunderbird seems to be completely happy talking TLS 1.2, likely because Mozilla is doing their own internal SSL routines, not relying on underlying OS.
  • Outlook 2010 seems to randomly work or fail. I found an article suggesting a registry change may be needed to get Outlook to not behave stupidly: http://www.rainingforks.com/blog/2015/how-to-allow-outlook-to-connect-with-tlsv1-1tlsv1-2.html
  • Windows Live mail seems to have issues but we're not sure if it's all versions and/or platforms.
  • We have some reports of iPhone issues but have not fully investigated.
The server we tried this on already had SSLv3 disabled, so this is not an SSLv3 issue, we just went from TLS 1.0,1.1,1.2 to only 1.1,1.2.

Would love to find a resource from someone who has gone through this previously so we don't have to test every possible permutation of email software and host operating system to figure out what will and won't work, or what changes are needed to make it work; if such a resource exists.
 
Hello,
This is very interesting question. I would love to find such resource too =). I would be glad if you would continue to share you experience.

Windows Live Mail, as well as Outlook, uses Schannel as SSL/TLS backend, so the reconfiguration from the link above should help (I have tested this on Windows 7).
 
No problem; we've started to go down that path. We're going to deploy a new server that does not have TLS 1.0 enabled and as we add customers to it we'll be able to much better control what occurs without a flood of support requests. I'll update the thread once I have more data.
 
You must log in or register to reply here.

Similar threads

B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
1
Views
215
Sebahat.hadzhi
Sebahat.hadzhi
D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
677
drdna
D
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
3K
iainh
I
J
Can't disable TLS v1.0
Replies
12
Views
4K
TimReeves
TimReeves
H
lighttpd (aka sw-cp-server) security and PCI compliance issues
Replies
9
Views
5K
HostaHost
H
Back
Top