Are we all doomed?

Discussion:

Are we all doomed?

(too old to reply)

Andy

2023-04-22 08:33:38 UTC

I've just logged on to my ISP's web site (to look at the spam bin) and
was greeted by the below message. Or threat. Or imminent catastrophe.

Please can someone who understands such matters explain to me what I
need to check, or do.

The last thing I wish for is to have to abandon Turnpike - I hope that's
a heartfelt wish for the future, not a statement explaining my future
absence.

==============================================================

We are disabling unencrypted email access and TLS 1.0/1.1 for POP3,
IMAP, and SMTP

If you have problems sending or receiving emails through an external
email program (i.e. Outlook, Thunderbird, etc.), it could be because you
are accessing your email account without encryption or through the
deprecated encryption protocols TLS 1.0 or TLS 1.1. For security
reasons, we are disabling unencrypted email access and TLS 1.0/1.1. For
the transmission of emails between your email programs and our email
servers to continue to work, they must support TLS 1.2 or higher, and
encryption (SSL/TLS) must be enabled. More information:
https://www.ionos.co.uk/tls

--
Andy Taylor FRPSL
President, Treasurer & Editor of the Austrian Philatelic Society.

Chrisj194801

2023-04-22 10:57:03 UTC

Permalink

I think we have encountered this before. In your stunnel configuration file ensure you have the lines

options = NO_TLSv1.1
sslVersion = TLSv1.2

Works fine for me. I am using stunnel 5.03

Regards
Chris

John

2023-04-22 16:46:30 UTC

Permalink

On Saturday, April 22, 2023 at 9:38:020 >> I've just logged on to my ISP's web site (to look at the spam bin) and

Post by Andy
was greeted by the below message. Or threat. Or imminent catastrophe.
Please can someone who understands such matters explain to me what I
need to check, or do.

I think we have encountered this before. In your stunnel configuration
file ensure you have the lines
options = NO_TLSv1.1
sslVersion = TLSv1.2
Works fine for me. I am using stunnel 5.03

We did indeed encounter this before - I got exactly the same message but
over a year ago now. While I think what you had works, someone advised
me that there was now a preferred way of achieving it, with these two
lines near the top of the config.:

sslVersionMax=TLSv1.3
sslVersionMin=TLSv1.2

That is what I am currently using and works for me (Stunnel 5.60)

--
John

John Hall

2023-04-22 18:21:58 UTC

Permalink

Post by Andy
I've just logged on to my ISP's web site (to look at the spam bin) and
was greeted by the below message. Or threat. Or imminent catastrophe.
Please can someone who understands such matters explain to me what I
need to check, or do.
The last thing I wish for is to have to abandon Turnpike - I hope
that's a heartfelt wish for the future, not a statement explaining my
future absence.
==============================================================
We are disabling unencrypted email access and TLS 1.0/1.1 for POP3,
IMAP, and SMTP
If you have problems sending or receiving emails through an external
email program (i.e. Outlook, Thunderbird, etc.), it could be because
you are accessing your email account without encryption or through the
deprecated encryption protocols TLS 1.0 or TLS 1.1. For security
reasons, we are disabling unencrypted email access and TLS 1.0/1.1. For
the transmission of emails between your email programs and our email
servers to continue to work, they must support TLS 1.2 or higher, and
https://www.ionos.co.uk/tls

You should be able to continue to use Turnpike, but will need to use
stunnel as an intermediary, as many of us are already doing. I'm a
little surprised that it has taken so long for your ISP to do away with
unencrypted access, as most mail servers did that some years ago.

As recent official releases of stunnel have been 64-bit only, you will
need to download the 32-bit version provided by the excellent Jose Alt.
You can do that here:

https://github.com/josealf/stunnel-win32

Currently the latest version is 5.69, which you can find in the third to
last line in the big table. It's a self-extracting executable IIRC.
After you've installed it (it's probably best to set it so it loads at
Windows boot-up), you will need to set up a configuration file. Here's
mine, which I hacked from the developer's example config file (lines
beginning with a semi-colon are comments and those in square brackets
are section labels that can be anything you like):

; * Global options
*
;
*************************************************************************
*

; Debugging stuff (may useful for troubleshooting)
debug = 6
output = stunnel.log
log = overwrite

; Disable FIPS mode to allow non-approved protocols and algorithms
fips = no

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

;
*************************************************************************
*
; * Service definitions (at least one service has to be defined)
*
;
*************************************************************************
*

[pickaweb-pop3]
client = yes
accept = 127.0.0.1:110
;"connect" specifies the url of your mail server
;my service provider has set it up so that mail.jhall.co.uk redirects
;to their actual server
;in my case the required port number is 995, which is commonly used
;but yours could be different
connect = mail.jhall.co.uk:995
;the next 4 lines are to authenticate the server
;checking that it's the real thing and not some spoofer
;the url for "checkHost" of course must match that for "connect"
verifyChain = yes
CAfile = ca-certs.pem
checkHost = mail.jhall.co.uk
OCSPaia = yes
;time in secs after which time-out occurs if server fails to respond
TIMEOUTconnect = 60
TIMEOUTidle = 40
TIMEOUTbusy = 40
TIMEOUTclose = 40
;time to wait for close_notify (set to 0 for buggy MSIE)

[pickaweb-smtp]
client = yes
accept = 127.0.0.1:25
;in my case the required port number is 465, which is commonly used
connect = mail.jhall.co.uk:465
verifyChain = yes
CAfile = ca-certs.pem
checkHost = mail.jhall.co.uk
OCSPaia = yes
;---------------------------------

Then all you have to do is edit your email configuration in TP Connect
to replace the server urls for POP3 and SMTP with 127.0.0.1 and ensure
that the ports match those you've specified in the accept lines in the
stunnel config file.

One other thing. If your ISP isn't sufficiently clued up, then it might
be that they aren't registered for authentication, in which case you'll
have to delete or comment out the authentication lines.

--
John Hall "[It was] so steep that at intervals the street broke into steps,
like a person breaking into giggles or hiccups, and then resumed
its sober climb, until it had another fit of steps."
Ursula K Le Guin "The Beginning Place"

Andy

2023-04-24 08:41:49 UTC

Permalink

In message <***@jhall_nospamxx.co.uk>, John Hall
<***@jhall.co.uk> wrote
[snip Andy-moan]

Post by John Hall
You should be able to continue to use Turnpike, but will need to use
stunnel as an intermediary, as many of us are already doing.

[]
I'm already using stunnel, version 5.22, as advised and guided by you
and others last time such problems arose. That feels like decades ago,
but maybe it was much more recent - time passes quickly as one ages :)

"What I have works" - but for how much longer?

Time for a config-file compare...
;-lines etc deleted here to save space.

JOHN-HALL FILE

Post by John Hall
debug = 6
output = stunnel.log
log = overwrite
fips = no
options = NO_SSLv2
[pickaweb-pop3]
client = yes
accept = 127.0.0.1:110
connect = mail.jhall.co.uk:995
verifyChain = yes
CAfile = ca-certs.pem
checkHost = mail.jhall.co.uk
OCSPaia = yes
TIMEOUTconnect = 60
TIMEOUTidle = 40
TIMEOUTbusy = 40
TIMEOUTclose = 40
[pickaweb-smtp]
client = yes
accept = 127.0.0.1:25
connect = mail.jhall.co.uk:465
verifyChain = yes
CAfile = ca-certs.pem
checkHost = mail.jhall.co.uk
OCSPaia = yes

ANDY-FILE

debug = 5
output = stunnel.log
log = overwrite
fips = no

engine = capi
cert = stunnel.pem

options = NO_SSLv2

[1and1-smtp]
client = yes
accept = 127.0.0.1:25
connect = auth.smtp.1and1.co.uk:465
; was 587

; The next bit collects emails from both my 1and1 mailboxes -
; each is configured separately in TP Connect but they call the same
thing ie 127.0.0.1

[1and1-pop3]
client = yes
accept = 127.0.0.1:3110
connect = pop.1and1.co.uk:995

;;;;;;;;;;;;;;;;;;;; and that's my lot!

--
Andy Taylor FRPSL
President, Treasurer & Editor of the Austrian Philatelic Society.

Martin Liddle

2023-04-24 10:10:04 UTC

Permalink

Post by Andy
JOHN-HALL FILE

ANDY-FILE
debug = 5
output = stunnel.log
log = overwrite
fips = no
engine = capi
cert = stunnel.pem
options = NO_SSLv2

I would add here:

options = NO_TLSv1.1
sslVersion = TLSv1.2

Post by Andy
[1and1-smtp]
client = yes
accept = 127.0.0.1:25
connect = auth.smtp.1and1.co.uk:465
; was 587
; The next bit collects emails from both my 1and1 mailboxes -
; each is configured separately in TP Connect but they call the same
thing ie 127.0.0.1
[1and1-pop3]
client = yes
accept = 127.0.0.1:3110
connect = pop.1and1.co.uk:995
;;;;;;;;;;;;;;;;;;;; and that's my lot!

--
Martin Liddle, Tynemouth Computer Services
Staveley, Chesterfield, Derbyshire UK

John Hall

2023-04-24 13:47:34 UTC

Permalink

Post by Andy
[snip Andy-moan]

Post by John Hall
You should be able to continue to use Turnpike, but will need to use
stunnel as an intermediary, as many of us are already doing.

The more recent, the less likely I am to remember it. A combination of
your not mentioning stunnel and your ISP doing away with unencrypted
access led me astray. Sorry about that.

Post by Andy
"What I have works" - but for how much longer?

If it stops working, then hopefully Chris's suggestion of inserting

options = NO_TLSv1.1
sslVersion = TLSv1.2

will fix it. I'm a little surprised that stunnel and the server don't
(at least on some servers) automatically negotiate to use the highest
version of TLS that they both support.

Post by Andy
Time for a config-file compare...
;-lines etc deleted here to save space.

<snip>

As an aside, I assume the two lines that you have but I don't

Post by Andy
engine = capi
cert = stunnel.pem

must be another way of doing authentication.