On 5 September 2017 at 20:29, Michael Grant <mgr...@grant.org> wrote: > On 5 September 2017 at 19:15, Gene Heskett <ghesk...@shentel.net> wrote: >> On Tuesday 05 September 2017 13:40:00 Michael Grant wrote: >> >>> I upgraded openssl today in my server running testing. It installed >>> version 1.1.0f-5. To my surprise, my mac clients can no longer send >>> and receive email! >>> >> As that is a security related upgrade, I would next push the Mac people >> to match it, or if possible, configure the Macs to use the more secure >> protocol. > > Any clues how to configure the Mac to use the more secure protocol? > All the software is up-to-date on the Mac side. I don't see any > obvious option in any of the mail settings on the Mac side. > > This is the error I see in the mail logs for both dovecot and sendmail: > > dovecot: > TLS handshaking: SSL_accept() failed: error:1417D102:SSL > routines:tls_process_client_hello:unsupported protocol, session=<...> > > sendmail: > STARTTLS=server: 0:error:1417D102:SSL > routines:tls_process_client_hello:unsupported > protocol:../ssl/statem/statem_srvr.c:974: > > I realize this isn't a MacOS forum but the error message here is on > the Debian side. Other mail clients like Windows Mail connect fine. > > Is there something I can set on Debian side to force this newer > openssl to accept older 1.x connections?
I could not find any option I could set in the dovecot.conf or the sendmail.mc file to make libssl accept tls 1.1. I managed to revert back libssl to get back to a working situation until the client's get updated. I downloaded libssl1.1_1.1.0f-3_amd64.deb and did: dpkg -i libssl1.1_1.1.0f-3_amd64.deb restarted sendmail and dovecot and everyone can now connect.
