I moved hosting packages recently and The Bat stopped retrieving or sending mail. The following error message shows up straight away.
!01/04/2018, 01:54:20: SEND - TLS handshake failure. An existing connection was forcibly closed by the remote host
So I raised a ticket with the host. They eventually tracked the problem down.
Quote
The issue is that your mail clients do not support TLSv1.2 which is the currently recommended protocol to use as all others have vulnerabilities. You may wish to monitor the authors site for future support of this as PCI compliance prohibits the use of TLS v1.0 and shortly v1.1 on servers.
They have relaxed the requirement on the pop3 server so I can now retrieve email, but they haven't on the SMTP server (yet) so I still can't send it.
But they have a point. TLSv1.2 has been around since 2008. The PCI are indeed tightening security requirements for processing card payments to TLSv1.1 with a strong recommendation of TLSv1.2. Microsoft Office 365 will refuse TLSv1.0 and v1.1 as of October, mandating TLSv1.2. Thunderbird has supported TLSv1.2 for several years. Microsoft Outlook has been able to be configured to use TLSv1.2 for several years. Yet The Bat, which I bought over 10 years ago and all upgrades since, doesn't support it.
Good question, especially since TLS 1.3 has been recently approved... https://www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/ I don't know if you'll get an answer on the forum; you may need to file a ticket with tech support. I agree, the upgrade is needed. david
Having got my host to temporarily relax to accept TLSv1.1, I'm now getting certificate name mismatch errors as a result of The Bat's failure to use SNI. SNI has also been around for over 10 years and is in increasing use, especially due to the IPv4 exhaustion. I wish The Bat offered SNI.
I hadn't heard of SNI before, but fr om what I understand, it allows a server to present multiple certificates.
I wonder if the lack of SNI-support that you mention also explains the situation in this other topic, wh ere The Bat wouldn't connect to a mailserver that offered two certificates.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
That doesn't sound reassuring at all.. it would be pretty bad if hosts begin to enforce TLS 1.2+ and SNI soon and my favorite email client doesn't support it!
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
I think this should have first priority, TheBat has enough features already and more and more hosts shift to TLS1.2. I'm having problems with several of my hosts now that they have upgraded.
I'm writing software myself which connects to different hosts and I've also had to upgrade it to TLS1.2 because the hosts started doing it.
It also supports HTML styling, which seriously raises the bar on HTML email, and includes support for block quotes, which was a topic in a recent post. I'm very impressed with the new release.
!01/04/2018, 01:54:20: SEND - TLS handshake failure. An existing connection was forcibly closed by the remote host
So I raised a ticket with the host. They eventually tracked the problem down.
Quote
The issue is that your mail clients do not support TLSv1.2 which is the currently recommended protocol to use as all others have vulnerabilities. You may wish to monitor the authors site for future support of this as PCI compliance prohibits the use of TLS v1.0 and shortly v1.1 on servers.
They have relaxed the requirement on the pop3 server so I can now retrieve email, but they haven't on the SMTP server (yet) so I still can't send it.
But they have a point. TLSv1.2 has been around since 2008. The PCI are indeed tightening security requirements for processing card payments to TLSv1.1 with a strong recommendation of TLSv1.2. Microsoft Office 365 will refuse TLSv1.0 and v1.1 as of October, mandating TLSv1.2. Thunderbird has supported TLSv1.2 for several years. Microsoft Outlook has been able to be configured to use TLSv1.2 for several years. Yet The Bat, which I bought over 10 years ago and all upgrades since, doesn't support it.
I just switched web hosting platforms and they too said that the 'ciphers' in The Bat were outdated. I had to beg them to relax security so I could get my email accounts to work. This MUST get fixed pretty soon or I'll be forced to dropThe Bat; I've been using it forever!
Did you upgrade The Bat to the current release, v8.4? If so, TLS 1.2 should work.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.
This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.
Hello,
It works well with The Bat! 8.5.4 . I have no longer TLS problems. I can now reactivate Kaspersky.
I have The Bat version 8.8.9 (64-bit), and TLS does not work because of this. The server is on cpanel, and the provider says Bat is trying to use old TLS version. I also tried to use command line parameter /TLS_VERSION_RANGE:3-3 but did not help. What should I do to use TLS1.2?
I copy here the connection log: Jan 14 14:16:44 atlas dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=80.99.35.150, lip=94.199.48.159, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher, session=<Y8ZMZxmcechQYyOW>
This is probably the same problem reported in this thread.
For a successful handshake, the client and the server need to have at least one cypher in common. Some providers have recently switched to a suite of cyphers that only includes "GCM"-type cyphers. The Bat, in turn, only supports "CBC"-type cyphers.
There is no solution for this. It would be great (and wise) if your provider would offer at least one CBC-type cypher to its users, so that legacy email clients and devices can continue to safely exchange email with them too.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.