# postfix, TLS and broken MS Outlook after Windows October 2022 update



## VladiBG (Oct 16, 2022)

After the last Windows October 2022 update which disable TLS1.0 and TLS1.1 in Windows it also break the Outlook TLS handshake to postfix


```
postfix/smtpd[XXXXX]: SSL_accept error from unknown[XXX.XXX.XXX.XXX]: lost connection
```

Or with verbose loging


```
postfix/submission/smtpd[XXX]: unknown[XXX.XXX.XXX.XXX]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:mad:STRENGTH"
postfix/submission/smtpd[XXX]: SSL_accept:before SSL initialization
syslogd: last message repeated 1 times
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS read client hello
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS write server hello
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS write certificate
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS write key exchange
postfix/submission/smtpd[XXX]: SSL_accept:SSLv3/TLS write server done
postfix/submission/smtpd[XXX]: SSL_accept:error in SSLv3/TLS write server done
postfix/submission/smtpd[XXX]: SSL_accept error from unknown[XXX.XXX.XXX]: lost connection
```

The problem is that the Outlook doesn't accept TLS session ticket and hang up the connection. The temporary fix is to not issue the session ticket by adding " -o tls_ssl_options=NO_TICKET" in master.cf file in postfix


```
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
...

submission inet n       -       n       -       -       smtpd
 ...
 -o tls_ssl_options=NO_TICKET
....
smtps     inet  n       -       n       -       -       smtpd
....
  -o tls_ssl_options=NO_TICKET
...
```

The original discussion from postfix-users


			'Re: Outlook TLS errors after Microsoft Windows Update' - MARC


----------



## morikawa (Oct 24, 2022)

I have two(2) installations of postfix on AWS Linux2. Both have the same configuration.
One has this problem, while the other not.   One without this problem is running 
on 4.14.262-200.489.amzn2.x86_64 while the other with this problem 
on 4.14.294-220.533.amzn2.x86_64

Adding tls_ssl_options=NO_TICKET in master.cf does not rectify this issue.
Any idea on how to solve this issue?


----------



## VladiBG (Oct 24, 2022)

The issue is in Microsoft Windows this is only workaround until Microsoft fix they side.
After changing the master.cf don't forget to restart the postfix. Also check if you have "smtpd_tls_session_cache_database" set up and disable it as default it's empty. This will slow down the new tls connection to the server but it's the only option for now.



			Postfix Configuration Parameters
		


Here's the same information about this problem from plesk:


			https://support.plesk.com/hc/en-us/articles/8074200003346-Outlook-cannot-connect-via-TLS-to-a-Plesk-server-after-Windows-update-KB5018410-


----------

