0

I have a mail server that has been running for quite some time. Most of my clients use non-Apple devices or are okay with web-clients. I am only now running into this roadblock, because a new client prefers using the Apple app to read email. They have an older iPad, which maxes out at iOS 9.3.5. Just found out this is rather old.

Will my set up run on a more modern iOS?

  • When that older iOS device attempts IMAP connection, I am getting the following errors. 
    Jan  8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Jan  8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Jan  8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Jan  8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Jan  8 17:59:40 host dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version
Jan  8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error
Jan  8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol
Jan  8 17:59:40 host dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session=<7Ag79nIO3MBMFhjy>
Jan  8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument
  • With Roundcube and Outlook, here are the log results (similar for both) where client IMAP access works: 
    Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Jan  8 18:19:14 host dovecot: message repeated 2 times: [ imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data]
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully
Jan  8 18:19:14 host dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=421260, TLS, session=<9gkwPHMOyLNChwcP>
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify
Jan  8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify
Jan  8 18:19:14 host dovecot: imap([email protected])<421260><9gkwPHMOyLNChwcP>: Disconnected: Logged out in=316 out=1699 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=250 body_count=0 body_bytes=0</pre>

Here is my setup

  • Ubuntu 22.04.3 LTS
  • Kernel 5.15.0-91-generic
  • Dovecot 2.3.16 (7e2e900c1a)
  • OpenSSL 3.0.2
  • Certbot 2.8.0

Config Files

  • SSL-configuration 
    $ cat /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
verbose_ssl = yes
ssl_cert = &lt;/etc/letsencrypt/live/host.domain.net/fullchain.pem
ssl_key = &lt;/etc/letsencrypt/live/host.domain.net/privkey.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = &lt;/etc/ssl/private/dhparam.pem
# I've also tried: ssl_min_protocol = TLSv1.3
ssl_min_protocol = TLSv1.2
# I've also tried: SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH</pre>
  • Dovecot: 
    $ cat /etc/dovecot/conf.d/10-master.conf
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
service imap {
}
service pop3 {
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }
  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }
  user = dovecot
}
service auth-worker {
  user = vmail
}
service dict {
  unix_listener dict {
  }
}

SSL Labs Test Results

Overall A Rating. A few highlights from the Configuration section.

Protocols
TLS1.3 Yes
TLS1.2 Yes
TLS1.1 No
TLS1.0 No
SSL 3 No
SSL 2 No
Cipher Suites - TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS 256
Cipher Suites - TLS 1.2 (server has no preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH secp521r1 (eq. 15360 bits RSA) FS 128 128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH secp521r1 (eq. 15360 bits RSA) FS 256 256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) ECDH secp521r1 (eq. 15360 bits RSA) FS 256 256
Improve this question
3
  • Which version of iPadOS? Please edit your question and add the information there. Commented Jan 8, 2024 at 20:45
  • I just updated the post. Looks like they have an old device. I'm gonna try and find a newer iOS device for testing. Commented Jan 8, 2024 at 22:52
  • Yeah, iOS 9.x was originally released in 2015, received its last update in 2019 and is now very definitely out of support. Wikipedia has a version history overview. I have one with iOS 12 which is also out of support and slowly becoming less useful as more and more apps get updated and are no longer compatible with iOS 12. No fundamental issues like TLS support yet, though it's probably just a matter of time... Commented Jan 9, 2024 at 6:06

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.