[Notice] SSL for services with Courier - Windows 10 issue

  • Hi everyone,

    A little "issue" has been found and is going into further investigation.

    If you have SSL enabled for services with Courier (Dovecot isn't impacted) and are running the newly Windows 10, at least on 3 tests PC (2 updated (Win7=>Win10 ; Win8.1=>Win10) and a fresh Win10 install), all are unable to connect to POP3/IMAP.

    From Windows events manager, we get an error with SChannel, which suggest an Handshake failure.

    One posibility could be the Cipher list ( @Nuxwin )

    YouTrac ticket created, Ref : https://youtrack.i-mscp.net/issue/IP-1401

    More information to come as we get them.

  • @f4Nm1Z9k2P

    I think for a restricted cipher suites problem.. I currently download windaub 10 to investigate. Maybe you could help me to figure out if you've already windows 10? If needed, I'll capture SSL handshake with ethereal.


  • @Athar

    Could you try this:

    1. # mv /etc/courier/dhparams.pem /etc/courier/dhparams.pem.backup
    2. # openssl dhparam -out /etc/courier/dhparams.pem 2048

    Then, once done:

    • Make permission right of file dhparams.pem same as the old one
    • Restart imap-ssl/pop3-ssl services

    Then, once done:

    • Retry connection through Outlook on your windows 10 machine



  • Windaub 10 - Installation in progress...



  • I'll died before installation end... Funking DSL...



  • @Athar

    I cannot confirm the problem..



    • Ubuntu Precise Pangolin (12.04 LTS)
    • i-MSCP 1.2.x
    • MTA: Postfix (SSL enabled - self-signed certificate as generated by i-MSCP) - Default configuration
    • PO: Courier (SSL enabled - self-signed certificate as generated by i-MSCP) - Default configuration


    • Windows 10 pro
    • Outlook 2013 (Office 365)

    Below the logs from the server

    Here I send a mail from outlook to nuxwin@domain.tld which is a mail account that I've created through i-MSCP

    1. root@precise:/usr/local/src/imscp# tail -fn0 /var/log/mail.logAug 4 05:11:57 precise postfix/smtpd[4177]: connect from unknown[]Aug 4 05:11:57 precise postfix/smtpd[4177]: Anonymous TLS connection established from unknown[]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)Aug 4 05:11:57 precise postfix/smtpd[4177]: 3CC678EFB: client=unknown[], sasl_method=DIGEST-MD5, sasl_username=nuxwin@domain.tldAug 4 05:11:57 precise postfix/cleanup[4180]: 3CC678EFB: message-id=<000001d0ce62$eb6fbd70$c24f3850$@domain.tld>Aug 4 05:11:57 precise postfix/qmgr[3935]: 3CC678EFB: from=<nuxwin@domain.tld>, size=2970, nrcpt=1 (queue active)Aug 4 05:11:57 precise postfix/pipe[4181]: 3CC678EFB: to=<nuxwin@domain.tld>, relay=maildrop, delay=0.06, delays=0.06/0/0/0, dsn=2.0.0, status=sent (delivered via maildrop service)Aug 4 05:11:57 precise postfix/qmgr[3935]: 3CC678EFB: removedAug 4 05:11:59 precise postfix/smtpd[4177]: disconnect from unknown[]

    Here, I refresh my mailbox to get the new message

    1. Aug 4 05:12:45 precise pop3d-ssl: Connection, ip=[::ffff:]
    2. Aug 4 05:12:55 precise pop3d-ssl: LOGIN, user=nuxwin@domain.tld, ip=[::ffff:], port=[56178]
    3. Aug 4 05:12:55 precise pop3d-ssl: LOGOUT, user=nuxwin@domain.tld, ip=[::ffff:], port=[56178], top=0, retr=2943, rcvd=32, sent=3336, time=0, stls=1

    All is working as expected.

    I'll provides more info in few minutes with screenshots....


  • @Athar

    Here, I post all relevant screenshots


    As you can see, the tests (last screenshot) are ok.

    I'll now try with Debian Jessie. I'll also try with outlook 2010.

    Note: Here, I've used the IP instead of smtp.domain.tld and pop3.domain.tld because my DNS was not available but I'll fix that and retry.


  • Ok... odd.

    If this server can be reach from the internet, I'll be curious to test this account on my PC too :)

    Edit: Regenerate the DHParam (as explain is the post #4) make it working again for Windows 10 :D (and it's still working with Windows 7 xD)

    Thanks God @Nuxwin :D

    Edited once, last by Athar ().

  • @Athar

    You're welcome ;)

    Well, please update the releated ticket too. I'll integrate the fix in next release.

    BTW: My Ubuntu test server is not reachable through internet atm. Sorry.