0

I have a mail server that has been running for quite some time. Most of my clients use non-Apple devices or are okay with web-clients. I am only now running into this roadblock, because a new client prefers using the Apple app to read email. They have an older iPad, which maxes out at iOS 9.3.5. Just found out this is rather old.

Will my set up run on a more modern iOS?

  • When that older iOS device attempts IMAP connection, I am getting the following errors. 
    Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol Jan 8 17:59:40 host dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session=<7Ag79nIO3MBMFhjy> Jan 8 17:59:40 host dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument
  • With Roundcube and Outlook, here are the log results (similar for both) where client IMAP access works: 
    Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: message repeated 2 times: [ imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data] Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=421260, TLS, session=<9gkwPHMOyLNChwcP> Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap-login: Debug: SSL alert: close notify Jan 8 18:19:14 host dovecot: imap([email protected])<421260><9gkwPHMOyLNChwcP>: Disconnected: Logged out in=316 out=1699 deleted=0 expunged=0 trashed=0 hdr_count=1 hdr_bytes=250 body_count=0 body_bytes=0</pre>

Here is my setup

  • Ubuntu 22.04.3 LTS
  • Kernel 5.15.0-91-generic
  • Dovecot 2.3.16 (7e2e900c1a)
  • OpenSSL 3.0.2
  • Certbot 2.8.0

Config Files

  • SSL-configuration 
    $ cat /etc/dovecot/conf.d/10-ssl.conf ssl = yes verbose_ssl = yes ssl_cert = &lt;/etc/letsencrypt/live/host.domain.net/fullchain.pem ssl_key = &lt;/etc/letsencrypt/live/host.domain.net/privkey.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = &lt;/etc/ssl/private/dhparam.pem # I've also tried: ssl_min_protocol = TLSv1.3 ssl_min_protocol = TLSv1.2 # I've also tried: SSL ciphers to use, the default is: #ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH # To disable non-EC DH, use: ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH</pre>
  • Dovecot: 
    $ cat /etc/dovecot/conf.d/10-master.conf service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } service imap { } service pop3 { } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } unix_listener auth-userdb { mode = 0600 user = vmail } user = dovecot } service auth-worker { user = vmail } service dict { unix_listener dict { } }

SSL Labs Test Results

Overall A Rating. A few highlights from the Configuration section.

Protocols
TLS1.3 Yes
TLS1.2 Yes
TLS1.1 No
TLS1.0 No
SSL 3 No
SSL 2 No
Cipher Suites - TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS 256
Cipher Suites - TLS 1.2 (server has no preference)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH secp521r1 (eq. 15360 bits RSA) FS 128 128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH secp521r1 (eq. 15360 bits RSA) FS 256 256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) ECDH secp521r1 (eq. 15360 bits RSA) FS 256 256
Improve this question
3
  • Which version of iPadOS? Please edit your question and add the information there. Commented Jan 8, 2024 at 20:45
  • I just updated the post. Looks like they have an old device. I'm gonna try and find a newer iOS device for testing. Commented Jan 8, 2024 at 22:52
  • Yeah, iOS 9.x was originally released in 2015, received its last update in 2019 and is now very definitely out of support. Wikipedia has a version history overview. I have one with iOS 12 which is also out of support and slowly becoming less useful as more and more apps get updated and are no longer compatible with iOS 12. No fundamental issues like TLS support yet, though it's probably just a matter of time... Commented Jan 9, 2024 at 6:06

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.