Professional Documents
Culture Documents
com/wiki/Ajcody-Ciphers-Outlook-Troubleshooting
Bug:
* "Mac Outlook 2011 requires 3DES or RC4 ciphers"
** https://bugzilla.zimbra.com/show_bug.cgi?id=97232
References:
* https://www.openssl.org/docs/apps/ciphers.html
** will explain what HIGH and other variables used in zimbraReverseProxySSLCiphers
* http://wiki.zimbra.com/wiki/Zimbra_Proxy_Manual:Installing_,_Configuring,_Disabling_the_Zimbra_Proxy#zmtlsctl
** http only mode?
* http://wiki.zimbra.com/wiki/Zimbra_Proxy_Manual:Installing_,_Configuring,_Disabling_the_Zimbra_Proxy#Using_Existing_Servers_2
** proxy isn't enabled for http/mail ?
* Notes from various tests I did, saved for my reference.
** https://wiki.zimbra.com/wiki/Ajcody-Ciphers-Outlook
./cipherscan ldap2.zimbra.DOMAIN.com
It will default to port 443 . You can also check it against port 8443 [which is could be the port set on your
mailstores if you setup proxy on it also, which I have done in this example] by doing:
./cipherscan ldap2.zimbra.DOMAIN.com:8443
* https://www.ssllabs.com/ssltest/
Second, the assumption is your running with the zcs proxy service is enabled for the various methods
your attempting with Outlook 2011 [http{mail},pop,imap] and SSL is enabled for each of the access methods.
Let's confirm your account that you'l test with is enabled for ews.
Let's also get what your current zimbraReverseProxySSLCiphers is set for before you change it.
Depending on what you have set, you'll need to adjust it to deal with the 3DES option. If you
had manually set zimbraReverseProxySSLCiphers at some point in your ZCS server's history then
our upgrade process will not change it. Below I include what is also the default for 8.6 and
how to modify it for 3DES. The first example comes from what you might see if you upgraded
from ZCS 7 and/or manually set it at some point to the default as it as in ZCS 7.
If you want to see/confirm what is the default value for ZCS 8.6 , you can do the following
below. !!!Please Note!!! You can't paste into your CLI the variable string if it has ! in it
if you haven't manually put a \ in front of each ! OR started the variable with a single quote
and then the variable with another single qoute.
For 8.6, the default will have !3DES , we'll want that to be 3DES - as shown in exampe 2.
[example 1]
[zimbra@ldap2 log]$ zmprov mcf zimbraReverseProxySSLCiphers '!SSLv2:!MD5:HIGH:3DES'
[zimbra@ldap2 log]$ zmproxyctl restart
[Note, I added additional \ below to the command so your cut/paste should be easier and on the wiki
page it wouldn't be one continuous line.]
[example 2]
[zimbra@ldap2 log]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:\
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:\
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:\
DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:\
DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:\
AES128:AES256:RC4-SHA:HIGH:3DES:'!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK'
!!! NOTE - If You Aren't Running The ZCS Proxy Or Will Have Outlook Connect Directly To The Mailstore/Jetty !!!
!!! POP/IMAP SSL Setups In Outlook Also Depending On Your Setup !!!
Outlook should now be able to connect directly to the mailstores, in my example here using a
single ZCS server with proxy and the mailstore services running on it, I'm now able to connect
with Outlook using either port 443 [my proxy] or port 8443 [my mailstore/jetty]. Please note,
in Outlook you'll need to leave the Use SSL box checked and then check the override if you want
to test on different ports besides 443.
If things still fail, you'll also want to provide the information below as well with all the
data/tests from above. Note, I'm including my output from my test box below from these commands.
My test box was a single 8.6 ZCS server [clean install, no prior ZCS versions upgraded from]
with all services enabled.
[This command just needs to be shared once with us since it's your global variables]
[This command should be ran on each of your proxy and mailstore servers]
Also, here are the results of my cipherscan after I made the changes. I tested both for the default port available through my proxy [443] and also against the
'mailstore/jetty' port that is different since I have the mailstore and proxy services running on the same box.