• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Any tips related to email software and servers with TLS1.0 disabled?

HostaHost

Regular Pleskian
I'm curious if anyone has encountered a website with a list of common email programs and underlying operating systems, and either a definitive NO on getting each combo to talk TLS 1.1/1.2, or the relevant settings to accomplish this?

The issue is that we've tried disabling TLS 1.0 to satisfy PCI scanning vendors, via:
  • /usr/local/psa/admin/bin/pci_compliance_resolver --enable all
  • /usr/local/psa/bin/server_pref -u -ssl-protocols "TLSv1.2 TLSv1.1"
but our support reps are experiencing a much higher than expected call volume from customers who cannot receive, and possibly send, email. FYI, I do know that the PCI council relented on the June 2016 elimination of TLS 1.0 and have added two years to its sunset date, but we'd like it gone asap anyway, and, as a side note, most PCI scanning companies have either chosen to stick with the original date, require a plan of removal we'd like our customers to avoid dealing with, or are simply wrong and won't accept an appeal.

Back to the issue; examples:
  • Thunderbird seems to be completely happy talking TLS 1.2, likely because Mozilla is doing their own internal SSL routines, not relying on underlying OS.
  • Outlook 2010 seems to randomly work or fail. I found an article suggesting a registry change may be needed to get Outlook to not behave stupidly: http://www.rainingforks.com/blog/2015/how-to-allow-outlook-to-connect-with-tlsv1-1tlsv1-2.html
  • Windows Live mail seems to have issues but we're not sure if it's all versions and/or platforms.
  • We have some reports of iPhone issues but have not fully investigated.
The server we tried this on already had SSLv3 disabled, so this is not an SSLv3 issue, we just went from TLS 1.0,1.1,1.2 to only 1.1,1.2.

Would love to find a resource from someone who has gone through this previously so we don't have to test every possible permutation of email software and host operating system to figure out what will and won't work, or what changes are needed to make it work; if such a resource exists.
 
Hello,
This is very interesting question. I would love to find such resource too =). I would be glad if you would continue to share you experience.

Windows Live Mail, as well as Outlook, uses Schannel as SSL/TLS backend, so the reconfiguration from the link above should help (I have tested this on Windows 7).
 
No problem; we've started to go down that path. We're going to deploy a new server that does not have TLS 1.0 enabled and as we add customers to it we'll be able to much better control what occurs without a flood of support requests. I'll update the thread once I have more data.
 
Back
Top