• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Any tips related to email software and servers with TLS1.0 disabled?

H

HostaHost

Regular Pleskian
I'm curious if anyone has encountered a website with a list of common email programs and underlying operating systems, and either a definitive NO on getting each combo to talk TLS 1.1/1.2, or the relevant settings to accomplish this?

The issue is that we've tried disabling TLS 1.0 to satisfy PCI scanning vendors, via:
  • /usr/local/psa/admin/bin/pci_compliance_resolver --enable all
  • /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.1"
but our support reps are experiencing a much higher than expected call volume from customers who cannot receive, and possibly send, email. FYI, I do know that the PCI council relented on the June 2016 elimination of TLS 1.0 and have added two years to its sunset date, but we'd like it gone asap anyway, and, as a side note, most PCI scanning companies have either chosen to stick with the original date, require a plan of removal we'd like our customers to avoid dealing with, or are simply wrong and won't accept an appeal.

Back to the issue; examples:
  • Thunderbird seems to be completely happy talking TLS 1.2, likely because Mozilla is doing their own internal SSL routines, not relying on underlying OS.
  • Outlook 2010 seems to randomly work or fail. I found an article suggesting a registry change may be needed to get Outlook to not behave stupidly: http://www.rainingforks.com/blog/2015/how-to-allow-outlook-to-connect-with-tlsv1-1tlsv1-2.html
  • Windows Live mail seems to have issues but we're not sure if it's all versions and/or platforms.
  • We have some reports of iPhone issues but have not fully investigated.
The server we tried this on already had SSLv3 disabled, so this is not an SSLv3 issue, we just went from TLS 1.0,1.1,1.2 to only 1.1,1.2.

Would love to find a resource from someone who has gone through this previously so we don't have to test every possible permutation of email software and host operating system to figure out what will and won't work, or what changes are needed to make it work; if such a resource exists.
 
Hello,
This is very interesting question. I would love to find such resource too =). I would be glad if you would continue to share you experience.

Windows Live Mail, as well as Outlook, uses Schannel as SSL/TLS backend, so the reconfiguration from the link above should help (I have tested this on Windows 7).
 
No problem; we've started to go down that path. We're going to deploy a new server that does not have TLS 1.0 enabled and as we add customers to it we'll be able to much better control what occurs without a flood of support requests. I'll update the thread once I have more data.
 
You must log in or register to reply here.

Similar threads

I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
2K
iainh
I
J
Can't disable TLS v1.0
Replies
12
Views
4K
TimReeves
TimReeves
H
lighttpd (aka sw-cp-server) security and PCI compliance issues
Replies
9
Views
5K
HostaHost
H
G
Disabling SSL2.0 for PCI Compliance
Replies
4
Views
5K
IgorG
IgorG
Back
Top