# Dovecot SSL error



## lucas1 (Feb 24, 2021)

Good day. 

When trying to connect Microsoft Outlook 2003 to Dovecot by protocol IMAP(ssl) an error occurs: in dovecot.log

```
imap-login: Debug: SSL error: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
```
With MS Outlook 2010/2016 all good.

 dovecot --version
2.3.13 

What do you advise?


----------



## SirDice (Feb 24, 2021)

lucas1 said:


> What do you advise?


Stop using Outlook 2003, it's been end-of-life since 2014. 





__





						Microsoft Ending Support for Windows XP and Office 2003 | CISA
					

All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3]Microsoft will send “End of Support”...




					us-cert.cisa.gov


----------



## msplsh (Feb 24, 2021)

"no shared cipher" means Dovecot does not support any of the ciphers that Outlook 2003 does.  This is most likely because, as noted above, Outlook 2003 is ridiculously out of date and all its supported ciphers are too weak to provide effective encryption and Dovecot has dropped offering them.

There are options, but since you asked for advice, I would recommend for the health and security of the internet, please use newer versions of Outlook that you have already confirmed that work.


----------



## lucas1 (Feb 24, 2021)

No, I need to solve this problem exactly in this form. 
Otherwise why would I ask.


----------



## diizzy (Feb 24, 2021)

Use stunnel to make your outdated clients connect to dovecot via stunnel.


----------



## msplsh (Feb 24, 2021)

Why would you ask?  You need third-party verification that you should tell whoever told you to support Outlook 2003 to go fly a kite.  That's a reason I can think of to ask.

Downgrading Dovecot's SSL cipher support will endanger ALL CLIENTS and your organization, not just Outlook 2003.  Furthermore, supporting using Outlook 2003 and whatever outdated version of Windows XP or 7 encourages the use of unsupported and vulnerable software that could be used as DDoS weaponry.

You'll have to downgrade Dovecot's SSL cipher list to support Outlook 2003.  This is a bad thing to do. You can read and understand the documentation in order to do this.  If you don't know how, I won't tell you how to do it because it encourages the creation of an internet community danger.

If the clients are firewalled, the stunnel idea will work and be relatively safe, but it's unlikely that Outlook 2003 is the only software these clients are using to connect to the internet.  You'll have to know how to configure that too.


----------



## Jose (Feb 24, 2021)

lucas1 said:


> No, I need to solve this problem exactly in this form.
> Otherwise why would I ask.


We're under no obligation to help you spew garbage all over the Internet.


----------



## diizzy (Feb 24, 2021)

msplsh said:


> Why would you ask?  You need third-party verification that you should tell whoever told you to support Outlook 2003 to go fly a kite.  That's a reason I can think of to ask.
> 
> Downgrading Dovecot's SSL cipher support will endanger ALL CLIENTS and your organization, not just Outlook 2003.  Furthermore, supporting using Outlook 2003 and whatever outdated version of Windows XP or 7 encourages the use of unsupported and vulnerable software that could be used as DDoS weaponry.
> 
> ...


I use that solution for MFPs as firmware updates aren't available except for technicians but only for SMTP.


----------

