New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can't use Mail.app (OS X 10.11.6) with Mailu 1.5.1 #363

Closed
ofthesun9 opened this Issue Dec 14, 2017 · 7 comments

Comments

2 participants
@ofthesun9
Copy link
Contributor

ofthesun9 commented Dec 14, 2017

After migration to 1.5.1, Mail.app failed to connect to my Mailu Server (Webmail and my (android) smartphone are working fine).

In the logs , I see:
front_1 | 2017/12/14 19:22:01 [info] 11#11: *182 client 192.168.0.254:62224 connected to 0.0.0.0:143
front_1 | 2017/12/14 19:22:02 [info] 11#11: *182 SSL_do_handshake() failed (SSL: error:1402710B:SSL routines:ACCEPT_SR_CLNT_HELLO_C:wrong version number) while in starttls state, client: 192.168.0.254 using starttls, server: 0.0.0.0:143
front_1 | 2017/12/14 19:22:02 [info] 11#11: *183 client 192.168.0.254:62225 connected to 0.0.0.0:993
front_1 | 2017/12/14 19:22:02 [info] 11#11: *183 SSL_do_handshake() failed (SSL: error:1402710B:SSL routines:ACCEPT_SR_CLNT_HELLO_C:wrong version number) while SSL handshaking, client: 192.168.0.254, server: 0.0.0.0:993

ENV.txt

@ofthesun9

This comment has been minimized.

Copy link
Contributor Author

ofthesun9 commented Dec 16, 2017

I have Mail.app working with a modified tls.conf
First I need to add TLSv1

Second, I need to modify the ciphers list.
Either by adding EECDH:kEDH (I tried the ciphers used by docecot in Mailu 1.4)
Or by using the ciphers list found here:
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
I took the Intermediate compatibility (default)

tls.txt

@kaiyou

This comment has been minimized.

Copy link
Member

kaiyou commented Dec 17, 2017

This is really weird that you need to downgrade TLS on a standard mail client. Are you using a very old version of Mail.app?

@kaiyou kaiyou added the bug label Dec 17, 2017

@ofthesun9

This comment has been minimized.

Copy link
Contributor Author

ofthesun9 commented Dec 17, 2017

I run the Mail.app delivered with OS X El Capitan (initially released in 2015, last major update was in 2016). Not fancy up-to-date, but not that old either ;-)

My hardware don't support the subsequent release(s) of Mac OS X. So I am stuck with El Capitan...

@kaiyou

This comment has been minimized.

Copy link
Member

kaiyou commented Dec 17, 2017

Well, according to your OS version, it seems that TLS 1.2 should be fully supported. Do you have any client logs to provide when you encounter the error?

@ofthesun9

This comment has been minimized.

Copy link
Contributor Author

ofthesun9 commented Dec 17, 2017

In system.log:
Dec 17 22:22:54 calumet Mail[11305]: [IMAP] Got Error Domain=MCMailErrorDomain Code=1030 "La commande IMAP « AUTHENTICATE » a échoué contient une erreur de serveur : invalid command." UserInfo={NSLocalizedDescription=La commande IMAP « AUTHENTICATE » a échoué contient une erreur de serveur : invalid command.} for command IMAPAuthenticateCommand "AUTHENTICATE" <0x7fb1aba0ec00> (4.14 AUTHENTICATE XOAUTH2)
Dec 17 22:22:55 calumet Mail[11305]: CFNetwork SSLHandshake failed (-9836)

When I did google to find a solution, I found several threads pointing out that Mail.app was needing tlsv1, that is how figured it out.

@kaiyou

This comment has been minimized.

Copy link
Member

kaiyou commented Dec 18, 2017

Well, that is the abnormal part. A fairly decent client on a fairly recent OS must support TLS1.1 or above. The problem is: given TLS vulnerability and the status of downgrade attacks, we can't possibly support TLS1.0 anymore.

@kaiyou

This comment has been minimized.

Copy link
Member

kaiyou commented Apr 21, 2018

Closing this, feel free to reopen with more info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment