Enable TLS v1.0

BS1

-OSTicket v1.12.2

-Apache2.4.25
-mySQL v10.1.38
-PHP 7.3.7-2+0~20190725.42+debian9~1.gbp848ca5
-Exchange 2007 SP3
POP3 and iMAP4 mail fetch does not communicate with Exchange, as 2007 does not support TLS1.1 or 1.2. Mail fetch works fine with a gmail account. Is there a way to force OSTicket to use TLS 1.0?

Please advise

ntozier

First off I would like to state the obvious that Exchange 2007 reached end of life back in April 2017.

BS1 POP3 and iMAP4 mail fetch does not communicate with Exchange

POP3 and IMAP4 both work on Exchange 2007, but they need to be enabled, by default they are installed but disabled. (We used to use osTicket with Exchange 2007 via IMAP for a long time.) I am pretty sure that you are correct that Exchange 2007 does not support TLS 1.1 or 1.2 though. I no longer have an Exchange 2007 server to test with but we used up through 1.10 with it.

The connection to negotiate down to TLS 1.0 automagially (yay handshakes). osTicket uses PEAR Mail and Net_SMTP to connect and send mail.

So to start I would say make sure that you have those protocols (POP3 and IMAP4) are enabled on your server.

BS1

ntozier Thank you for the reply. Yes, they are both enabled. I am able to use a thunderbird client to access successfully. (see attached) I have tried all 3 pop and imap options for authentication on the exchange server, and on the OSticket side, all 4 (pop, pop +ssl, etc) options, and they do not seem to work in any combination. This is a fresh clean install of OSticket, but so far get the same results with PHP 5.6, 7.1,7.2 and 7.3. When saving, the message is "Invalid login. Check POP settings" and "Fetching Email via IMAP or POP

TLS/SSL failure for 10.10.1.22: SSL negotiation failed". Same results using the URL instead of the IP address. both systems are on the same network switch and SMTP works fine.

ntozier

I presume that you also enabled the protocols for the user since you said that Thunderbird connects. Can you look at the access logs for Exchange and see what it says for why the connection is failing?

As a side note try IMAP port 993, or POP port 995.

BS1

ntozier Yes, they are enabled for the user. The only error in the serverlog is an MSExchangeTransport that is referencing STARTTLS being unable to support the FQDN for the local hostname of the server (mailserver.domain.local) which started appearing when Microsoft removed support for .local and self signed certificates a few years ago.
When I run Get-ExchangeCertificate, the thumbprint appears correct and the Services on the public facing domain name are listed as IP.WS. Below is referencing an openssl check against the server, and I am not sure what this is telling me. Perhaps this could be a certificate issue?

Checking Secure IMAP (explicit) on port 143:

openssl s_client -connect 10.10.1.22:143 -starttls imap

CONNECTED(00000080)

write:errno=0

no peer certificate available

No client certificate CA names sent

SSL handshake has read 191 bytes and written 319 bytes

Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent

Verify return code: 0 (ok)

Checking Secure IMAP (implicit) on port 993:

openssl s_client -connect 10.10.1.22:993

CONNECTED(00000080)

write:errno=0

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 293 bytes

Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent

Verify return code: 0 (ok)

Checking Secure POP (explicit) on port 110:

openssl s_client -connect 10.10.1.22:110 -starttls pop3

CONNECTED(00000080)

write:errno=0

no peer certificate available

No client certificate CA names sent

SSL handshake has read 79 bytes and written 299 bytes

Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent

Verify return code: 0 (ok)

Checking Secure POP (implicit) on port 995:

openssl s_client -connect 10.10.1.22:995

CONNECTED(00000080)

write:errno=0

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 293 bytes

Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent

Verify return code: 0 (ok)

ntozier

Hrm.

Just a weird thought but try prefixing your server name with
tls://
And let me know what happens.
I think that it might be cert related.
I'll ask a dev to look at this thread.

BS1

ntozier OK, I tried with pop, pop+ssl, imap, imap+SSL, both with the IP address and the URL and the reply is
Fetching Email via IMAP or POP

Can't open mailbox {tls://10.10.1.22:143/imap/novalidate-cert}INBOX: invalid remote specification.

BS1

Fetching Email via IMAP or POP

Can't open mailbox {tls://10.10.1.22:995/pop3/ssl/novalidate-cert}INBOX: invalid remote specification

KevinTheJedi

@BS1

Run:

$ openssl s_client -connect 10.10.1.22:143 -starttls imap -tls1

Post a picture of your mail settings so we can see what you are trying to enter as the protocol, etc.

Cheers.

BS1

C:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect 10.10.1.22:143 -sta
rttls imap -tls1
CONNECTED(00000080)

write:errno=0

no peer certificate available

No client certificate CA names sent

SSL handshake has read 191 bytes and written 130 bytes

Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1564674905
Timeout : 7200 (sec)
Verify return code: 0 (ok)

Extended master secret: no

KevinTheJedi

@BS1

Port 143 is the unencrypted port for IMAP. If you would like to use 143 you must use the protocol of just IMAP (NOT IMAP + SSL).

Cheers.

BS1

ntozier

You would remove the tls:// from the url I think if your not using ssl.

BS1

It does not seem to matter. Any combination that I use fails, and there does not seem to be anything generating errors as to "why?"

KevinTheJedi

@BS1

Any combination that I use fails, and there does not seem to be anything generating errors as to "why?"

Because the errors are listed in your mailserver's connection/error logs..

Cheers.

BS1

OK, now i have to ask a dumb question. It is not producing errors in the server APPLog. Is the connection/error log somewhere else?

ntozier

In exchange I think those go into the event viewer. (it's been years since I have had to look at them, so you might have to google it)

Tenggay

Hi ntozier

I'm trying to send email via SMTP but cannot make it work. I tried the following ways:

Disabled the MFA for specific user
Enabled/ Enforced MFA to specific user and use APP PASSWORD Instead.

We cannot disable the security defaults for our organization since it will put us on risk, and conditional access needs a premium plan on Azure.

I was able to use gmali using the APP PASSWORD created on gmail, but on O365 I am getting an error.

Hope you can share some thoughts about it.

Thank you.

KevinTheJedi

@Tenggay

As the error states, you should contact your administrator and/or mail provider for further assistance. It appears you have some very specific rules/setup on your mailserver.

Cheers.