Score:0

Outlook defaults to SSLv3 after windows update

cn flag

I have disabled SSLv3 protocols in my postfix configuration, and outlook still tries to connect and I am getting error: SSL_accept:failed in SSLv3 read client key exchange A

My main.cf

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtp_tls_security_level = may

Thunderbird works without a problem.

Any ideas?

joyceshen avatar
cn flag
Hi, have you tried to remove the update then check if outlook can work properly? According to my research, here seems to be a similar question: https://forums.freebsd.org/threads/postfix-tls-and-broken-ms-outlook-after-windows-october-2022-update.86777/#post-584554
Score:0
in flag

You don't mention what you have done at the client. Depending on which version of Windows and which version of Outlook you are using there can be extra configuration required on the client to enable and use modern TLS.

For Windows 7 check Windows Update (or equivalent) for the TLS update. Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP

Be sure to read the article fully, as it is not sufficient to merely install the updates. You must also create new registry keys to actually enable the new protocols.

Enable TLS 1.1 and 1.2 on Windows 7 at the SChannel component level

Per the TLS-SSL Settings article, for TLS 1.1 and 1.2 to be enabled and negotiated on Windows 7, you MUST create the "DisabledByDefault" entry in the appropriate subkey (Client) and set it to "0". These subkeys will not be created in the registry since these protocols are disabled by default.

rokkotnik avatar
cn flag
I am using Windows 10pro 21H2 which was updated 2 days ago (than is when Outllok stoped to work). For Office I am using Outlook Professional Plus 2019.
rokkotnik avatar
cn flag
And using NMAP if I check mail server chipers: nmap --script ssl-enum-ciphers -p 587 mail.yyyycom | grep TLSv or grep SSL I can only see TLSv1.2. So I don't know why would outlook try to connect on SSLv3
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.