how can mails be retrieved over imap tls 1.3 secured connections?

Question

how can mails be retrieved over imap tls 1.3 secured connections?

Nafets 10

"Classic" Outlook 365 (Microsoft® Outlook® für Microsoft 365 MSO (Version 2406 Build 16.0.17726.20206) 64 Bit) on Windows 11 23H2 Pro uses TLS 1.2 instead of TLS 1.3 to connect to IMAPS Servers.

It does not send a TLS 1.3 CLIENT HELLO; technically TLS 1.2 with 0x2b “supported_versions” containing “Supported Version: TLS 1.3 (0x0304)”.

Nafets 10 Reputation points

2024-08-20T20:48:40.6966667+00:00

The JA4_r of Outlook M365 on Windows 11 23H2 reported by Wireshark is:

t12d180700_002f,0035,003c,003d,009c,009d,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030_000a,000b,000d,0017,0023,ff01_0804,0805,0806,0401,0501,0201,0403,0503,0203,0202,0601,0603

With TLS 1.3 it should look like:

t13d141000_009c,009d,009e,009f,00a2,00a3,00ff,1301,1302,1303,c02b,c02c,c02f,c030_000a,000b,000d,0016,0017,0023,002b,002d,0033_0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602
Nafets 10 Reputation points

2024-08-20T20:49:40.5466667+00:00

The T-Online secure imap server (secureimap.t-online.de:993) may be used to verify the issue:

https://www.telekom.de/hilfe/apps-dienste/e-mail/einstellungen/posteingang-postausgang-server
Nafets 10 Reputation points

2024-08-20T20:50:02.1233333+00:00

https://support.microsoft.com/en-us/topic/outlook-imap-or-pop-server-unexpectedly-terminated-the-connection-and-the-server-was-interrupted-39fb3fde-7abe-4fff-a98d-9a7872b74ab5 tells "Our testing found that Windows 11 TLS 1.3 should be working fine with Outlook." but it doesn't work e.g. with imaps://secureimap.t-online.de:993 even though it supports TLS 1.3 : https://testtls.com/secureimap.t-online.de/993
Nafets 10 Reputation points

2024-08-20T20:50:14.1166667+00:00

Feedback Hub item:

https://aka.ms/AArry51
Nafets 10 Reputation points

2024-08-20T20:50:31.59+00:00
This is a cross-post as requested by:

https://answers.microsoft.com/en-us/outlook_com/forum/outlk_win-outtop_classic-outsub_ofh/outlook-365-doesnt-support-tls-13/68455ae4-2971-4c1c-b9a7-2e5cc75fc453

https://telekomhilft.telekom.de/t5/E-Mail/Secure-IMAP-mit-Outlook-nicht-so-sicher-wie-erwartet/m-p/6895108

I'm sorry for posting this in comments but the content was being deleted many times for no obvious reason when I tried to post it.
Nafets 10 Reputation points

2024-08-20T20:52:46.1266667+00:00
SokiGuo-MSFT 31,551 Reputation points Microsoft External Staff

2024-08-21T06:47:48.1366667+00:00

Hi

Welcome to our forum!

Are you having trouble adding your account to Outlook as IMAP?

What account type are you adding? Outlook.com or Microsoft 365 account?

Does the Outlook client have any error messages?
Nafets 10 Reputation points

2024-08-22T21:00:03.4+00:00

Are you having trouble adding your account to Outlook as IMAP?

Yes, I'm having trouble connecting to IMAP with TLS 1.3

What account type are you adding?

IMAP

Outlook.com or Microsoft 365 account?

Neither one. They also don't support TLS 1.3 (https://support.microsoft.com/de-de/office/pop-imap-und-smtp-einstellungen-f%C3%BCr-outlook-com-d088b986-291d-42b8-9564-9c414e2aa040): https://testtls.com/outlook.office365.com/993

I want to use T-Online (https://www.telekom.de/hilfe/apps-dienste/e-mail/einstellungen/posteingang-postausgang-server) : They support TLS 1.3: https://testtls.com/secureimap.t-online.de/993

Does the Outlook client have any error messages?

No.
SokiGuo-MSFT 31,551 Reputation points Microsoft External Staff

2024-08-26T07:06:45.1433333+00:00

Hi @Nafets

Thanks for your reply!

Unfortunately, there is no official Microsoft documentation on how to set up IMAP for T-online accounts. The official documentation you provided above is about the port settings for outlook.com account configured as IMAP. Since our testing environment is limited and we are not able to configure your T-online account, we recommend that you contact your email provider for more professional advice.
Nafets 10 Reputation points

2024-08-26T13:36:45.2833333+00:00

Hi @SokiGuo-MSFT

I appreciate your intention to help, but there must have been some misunderstandings.

You may reread the information provided so far carefully and take note of these further explanations:

Unfortunately, there is no official Microsoft documentation on how to set up IMAP for T-online accounts.

Nobody has asked about this here anyway so far, but here it is: https://support.microsoft.com/en-us/office/server-settings-you-ll-need-from-your-email-provider-c82de912-adcc-4787-8283-45a1161f3cc3

The official documentation you provided above is about the port settings for outlook.com account configured as IMAP.

As mentioned neither Outlook.com nor Microsoft 365 accounts are related to the issue we are talking about here; even though Microsoft also fails to support TLS 1.3 there with their IMAPS server as already mentioned: https://testtls.com/outlook.office365.com/993

Since our testing environment is limited.

I'm sorry to hear that basic tools like Packet Sniffer are not provided to help you with connection issues related to TLS encryption.

Presumably the folks from https://support.microsoft.com/en-us/topic/outlook-imap-or-pop-server-unexpectedly-terminated-the-connection-and-the-server-was-interrupted-39fb3fde-7abe-4fff-a98d-9a7872b74ab5 shall jump in because what they have written isn't true (anymore): "Our testing found that Windows 11 TLS 1.3 should be working fine with Outlook."

...we are not able to configure your T-online account...

Because the problem is related to a the (lower) TLS protocol layer, this is not necessary.

We recommend that you contact your email provider for more professional advice.

Because it has already been proven that Outlook is the issue email providers cannot help. They are victims too, because - just like nowadays with TLS 1.0 - sometime they'll again have to deal with software not updated protocol support.

Nafets 10

FYI: When you try to force Outlook to use ONLY TLS 1.3 by disabling TLS 1.0, 1.1 AND 1.2, it won't send a network packet at all and it will instantly fail with error 0x800CCC14 SOCKET_INIT_ERROR

Verified with:

Get-ChildItem -LiteralPath 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols' -Recurse | Get-ItemProperty | Select-Object -Property @('Enabled','DisabledByDefault','PSPath') | Format-Table -AutoSize

Enabled DisabledByDefault PSPath                                                                                                                                     
------- ----------------- ------                                                                                                                                     
      0                 1 Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
      0                 1 Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
      0                 1 Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
      1                 0 Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client

SokiGuo-MSFT 31,551 Reputation points Microsoft External Staff

2024-08-30T07:11:10.1033333+00:00

Thanks for the reply, for this issue, I will submit this feedback on the official feedback portal.

Also, if you have any suggestions or ideas, it's suggested that you could post here. Hope Microsoft will notice this in the future. Thank you for your understanding and support!