how can mails be retrieved over imap tls 1.3 secured connections?
"Classic" Outlook 365 (Microsoft® Outlook® für Microsoft 365 MSO (Version 2406 Build 16.0.17726.20206) 64 Bit) on Windows 11 23H2 Pro uses TLS 1.2 instead of TLS 1.3 to connect to IMAPS Servers.
It does not send a TLS 1.3 CLIENT HELLO; technically TLS 1.2 with 0x2b “supported_versions” containing “Supported Version: TLS 1.3 (0x0304)”.
Microsoft 365
Office
Outlook
Windows 11
-
Nafets 0 Reputation points
2024-08-20T20:48:40.6966667+00:00 The JA4_r of Outlook M365 on Windows 11 23H2 reported by Wireshark is:
t12d180700_002f,0035,003c,003d,009c,009d,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_000a,000b,000d,0017,0023,ff01_0804,0805,0806,0401,0501,0201,0403,0503,0203,0202,0601,0603
With TLS 1.3 it should look like:
t13d141000_009c,009d,009e,009f,00a2,00a3,00ff,1301,1302,1303,c02b,c02c,c02f,c030_000a,000b,000d,0016,0017,0023,002b,002d,0033_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602
-
Nafets 0 Reputation points
2024-08-20T20:49:40.5466667+00:00 The T-Online secure imap server (secureimap.t-online.de:993) may be used to verify the issue:
https://www.telekom.de/hilfe/apps-dienste/e-mail/einstellungen/posteingang-postausgang-server
-
Nafets 0 Reputation points
2024-08-20T20:50:02.1233333+00:00 https://support.microsoft.com/en-us/topic/outlook-imap-or-pop-server-unexpectedly-terminated-the-connection-and-the-server-was-interrupted-39fb3fde-7abe-4fff-a98d-9a7872b74ab5 tells "Our testing found that Windows 11 TLS 1.3 should be working fine with Outlook." but it doesn't work e.g. with imaps://secureimap.t-online.de:993 even though it supports TLS 1.3 : https://testtls.com/secureimap.t-online.de/993
-
Nafets 0 Reputation points
2024-08-20T20:50:14.1166667+00:00 Feedback Hub item:
-
Nafets 0 Reputation points
2024-08-20T20:50:31.59+00:00 This is a cross-post as requested by:
- https://answers.microsoft.com/en-us/outlook_com/forum/outlk_win-outtop_classic-outsub_ofh/outlook-365-doesnt-support-tls-13/68455ae4-2971-4c1c-b9a7-2e5cc75fc453
- https://telekomhilft.telekom.de/t5/E-Mail/Secure-IMAP-mit-Outlook-nicht-so-sicher-wie-erwartet/m-p/6895108
I'm sorry for posting this in comments but the content was being deleted many times for no obvious reason when I tried to post it.
-
Nafets 0 Reputation points
2024-08-20T20:52:46.1266667+00:00 -
SokiGuo-MSFT 27,816 Reputation points • Microsoft Vendor
2024-08-21T06:47:48.1366667+00:00 Hi
Welcome to our forum!
Are you having trouble adding your account to Outlook as IMAP?
What account type are you adding? Outlook.com or Microsoft 365 account?
Does the Outlook client have any error messages?
-
Nafets 0 Reputation points
2024-08-22T21:00:03.4+00:00 Are you having trouble adding your account to Outlook as IMAP?
Yes, I'm having trouble connecting to IMAP with TLS 1.3
What account type are you adding?
IMAP
Outlook.com or Microsoft 365 account?
Neither one. They also don't support TLS 1.3 (https://support.microsoft.com/de-de/office/pop-imap-und-smtp-einstellungen-f%C3%BCr-outlook-com-d088b986-291d-42b8-9564-9c414e2aa040): https://testtls.com/outlook.office365.com/993
I want to use T-Online (https://www.telekom.de/hilfe/apps-dienste/e-mail/einstellungen/posteingang-postausgang-server) : They support TLS 1.3: https://testtls.com/secureimap.t-online.de/993
Does the Outlook client have any error messages?
No.
-
SokiGuo-MSFT 27,816 Reputation points • Microsoft Vendor
2024-08-26T07:06:45.1433333+00:00 Hi @Nafets
Thanks for your reply!
Unfortunately, there is no official Microsoft documentation on how to set up IMAP for T-online accounts. The official documentation you provided above is about the port settings for outlook.com account configured as IMAP. Since our testing environment is limited and we are not able to configure your T-online account, we recommend that you contact your email provider for more professional advice.
-
Nafets 0 Reputation points
2024-08-26T13:36:45.2833333+00:00 I appreciate your intention to help, but there must have been some misunderstandings.
You may reread the information provided so far carefully and take note of these further explanations:
Unfortunately, there is no official Microsoft documentation on how to set up IMAP for T-online accounts.
Nobody has asked about this here anyway so far, but here it is: https://support.microsoft.com/en-us/office/server-settings-you-ll-need-from-your-email-provider-c82de912-adcc-4787-8283-45a1161f3cc3
The official documentation you provided above is about the port settings for outlook.com account configured as IMAP.
As mentioned neither Outlook.com nor Microsoft 365 accounts are related to the issue we are talking about here; even though Microsoft also fails to support TLS 1.3 there with their IMAPS server as already mentioned: https://testtls.com/outlook.office365.com/993
Since our testing environment is limited.
I'm sorry to hear that basic tools like Packet Sniffer are not provided to help you with connection issues related to TLS encryption.
Presumably the folks from https://support.microsoft.com/en-us/topic/outlook-imap-or-pop-server-unexpectedly-terminated-the-connection-and-the-server-was-interrupted-39fb3fde-7abe-4fff-a98d-9a7872b74ab5 shall jump in because what they have written isn't true (anymore): "Our testing found that Windows 11 TLS 1.3 should be working fine with Outlook."
...we are not able to configure your T-online account...
Because the problem is related to a the (lower) TLS protocol layer, this is not necessary.
We recommend that you contact your email provider for more professional advice.
Because it has already been proven that Outlook is the issue email providers cannot help. They are victims too, because - just like nowadays with TLS 1.0 - sometime they'll again have to deal with software not updated protocol support.
-
Nafets 0 Reputation points
2024-08-26T14:17:39.1366667+00:00 FYI: When you try to force Outlook to use ONLY TLS 1.3 by disabling TLS 1.0, 1.1 AND 1.2, it won't send a network packet at all and it will instantly fail with error 0x800CCC14 SOCKET_INIT_ERROR
Verified with:
Get-ChildItem -LiteralPath 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Recurse | Get-ItemProperty | Select-Object -Property @('Enabled','DisabledByDefault','PSPath') | Format-Table -AutoSize Enabled DisabledByDefault PSPath ------- ----------------- ------ 0 1 Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client 0 1 Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 0 1 Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 1 0 Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client
-
SokiGuo-MSFT 27,816 Reputation points • Microsoft Vendor
2024-08-30T07:11:10.1033333+00:00 Thanks for the reply, for this issue, I will submit this feedback on the official feedback portal.
Also, if you have any suggestions or ideas, it's suggested that you could post here. Hope Microsoft will notice this in the future. Thank you for your understanding and support!
Sign in to comment