-OSTicket v1.12.2
-Apache2.4.25
-mySQL v10.1.38
-PHP 7.3.7-2+0~20190725.42+debian9~1.gbp848ca5
-Exchange 2007 SP3
POP3 and iMAP4 mail fetch does not communicate with Exchange, as 2007 does not support TLS1.1 or 1.2. Mail fetch works fine with a gmail account. Is there a way to force OSTicket to use TLS 1.0?
Please advise
First off I would like to state the obvious that Exchange 2007 reached end of life back in April 2017.
BS1 POP3 and iMAP4 mail fetch does not communicate with Exchange
POP3 and IMAP4 both work on Exchange 2007, but they need to be enabled, by default they are installed but disabled. (We used to use osTicket with Exchange 2007 via IMAP for a long time.) I am pretty sure that you are correct that Exchange 2007 does not support TLS 1.1 or 1.2 though. I no longer have an Exchange 2007 server to test with but we used up through 1.10 with it.
The connection to negotiate down to TLS 1.0 automagially (yay handshakes). osTicket uses PEAR Mail and Net_SMTP to connect and send mail.
So to start I would say make sure that you have those protocols (POP3 and IMAP4) are enabled on your server.
ntozier Thank you for the reply. Yes, they are both enabled. I am able to use a thunderbird client to access successfully. (see attached) I have tried all 3 pop and imap options for authentication on the exchange server, and on the OSticket side, all 4 (pop, pop +ssl, etc) options, and they do not seem to work in any combination. This is a fresh clean install of OSticket, but so far get the same results with PHP 5.6, 7.1,7.2 and 7.3. When saving, the message is "Invalid login. Check POP settings" and "Fetching Email via IMAP or POP
TLS/SSL failure for 10.10.1.22: SSL negotiation failed". Same results using the URL instead of the IP address. both systems are on the same network switch and SMTP works fine.
I presume that you also enabled the protocols for the user since you said that Thunderbird connects. Can you look at the access logs for Exchange and see what it says for why the connection is failing?
As a side note try IMAP port 993, or POP port 995.
ntozier Yes, they are enabled for the user. The only error in the serverlog is an MSExchangeTransport that is referencing STARTTLS being unable to support the FQDN for the local hostname of the server (mailserver.domain.local) which started appearing when Microsoft removed support for .local and self signed certificates a few years ago.
When I run Get-ExchangeCertificate, the thumbprint appears correct and the Services on the public facing domain name are listed as IP.WS. Below is referencing an openssl check against the server, and I am not sure what this is telling me. Perhaps this could be a certificate issue?
Checking Secure IMAP (explicit) on port 143:
openssl s_client -connect 10.10.1.22:143 -starttls imap
CONNECTED(00000080)
SSL handshake has read 191 bytes and written 319 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Checking Secure IMAP (implicit) on port 993:
openssl s_client -connect 10.10.1.22:993
CONNECTED(00000080)
SSL handshake has read 0 bytes and written 293 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Checking Secure POP (explicit) on port 110:
openssl s_client -connect 10.10.1.22:110 -starttls pop3
CONNECTED(00000080)
SSL handshake has read 79 bytes and written 299 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Checking Secure POP (implicit) on port 995:
openssl s_client -connect 10.10.1.22:995
CONNECTED(00000080)
SSL handshake has read 0 bytes and written 293 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Hrm.
Just a weird thought but try prefixing your server name with
tls://
And let me know what happens.
I think that it might be cert related.
I'll ask a dev to look at this thread.
Fetching Email via IMAP or POP
Can't open mailbox {tls://10.10.1.22:995/pop3/ssl/novalidate-cert}INBOX: invalid remote specification
Run:
$ openssl s_client -connect 10.10.1.22:143 -starttls imap -tls1Post a picture of your mail settings so we can see what you are trying to enter as the protocol, etc.
Cheers.
C:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect 10.10.1.22:143 -sta
rttls imap -tls1
CONNECTED(00000080)
SSL handshake has read 191 bytes and written 130 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1564674905
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Port 143 is the unencrypted port for IMAP. If you would like to use 143 you must use the protocol of just IMAP (NOT IMAP + SSL).
Cheers.
You would remove the tls:// from the url I think if your not using ssl.
It does not seem to matter. Any combination that I use fails, and there does not seem to be anything generating errors as to "why?"
Any combination that I use fails, and there does not seem to be anything generating errors as to "why?"
Because the errors are listed in your mailserver's connection/error logs..
Cheers.
OK, now i have to ask a dumb question. It is not producing errors in the server APPLog. Is the connection/error log somewhere else?
In exchange I think those go into the event viewer. (it's been years since I have had to look at them, so you might have to google it)
Hi ntozier
I'm trying to send email via SMTP but cannot make it work. I tried the following ways:
We cannot disable the security defaults for our organization since it will put us on risk, and conditional access needs a premium plan on Azure.
I was able to use gmali using the APP PASSWORD created on gmail, but on O365 I am getting an error.
Hope you can share some thoughts about it.
Thank you.
As the error states, you should contact your administrator and/or mail provider for further assistance. It appears you have some very specific rules/setup on your mailserver.
Cheers.
