.43 --> .44 broke Outlook 2007, Outlook 2010 IMAP?

Hello,
I updated to .44, and now suddenly I am unable to send or receive email via new or existing Outlook 2010 / 2007 installations. Curious if this is something broken across the board or if I am special.

Outlook 2010 gives:
Log onto incoming mail server (IMAP): A secure connection to the server cannot be established.
Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.

Client is configured to use incoming port 993 SSL, outgoing 587 TLS.

Mail.log output from a failed connection:

Feb 21 13:18:54 mail postfix/submission/smtpd[29890]: connect from unknown[216.243.30.3]
Feb 21 13:18:54 mail postfix/submission/smtpd[29890]: SSL_accept error from unknown[216.243.30.3]: -1
Feb 21 13:18:54 mail postfix/submission/smtpd[29890]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:…/ssl/statem/statem_srvr.c:1655:
Feb 21 13:18:54 mail postfix/submission/smtpd[29890]: lost connection after STARTTLS from unknown[216.243.30.3]
Feb 21 13:18:54 mail postfix/submission/smtpd[29890]: disconnect from unknown[216.243.30.3] ehlo=1 starttls=0/1 commands=1/2
Feb 21 13:19:02 imap-login: Info: Login: user=alex@apmnerdery.com, method=PLAIN, rip=50.251.236.13, lip=50.251.236.11, mpid=29892, TLS, session=<1/Yekhyf5sEy++wN>
Feb 21 13:19:04 imap(alex@apmnerdery.com): Info: Connection closed (UID FETCH finished 0.122 secs ago) in=15871 out=125515

Any advice is welcome,
-Alex

Those email clients do not support the modern TLS encryption protocols. It is time to upgrade.

The most recent upgrade of MiaB removed depreciated TLS versions.

From Wikipedia:

In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020.[11]

This worked in .43, is there a way to rollback? I feel like this should have been mentioned somewhere, since the docs all still describe Windows 7 and Outlook 2007 as supported.

It was the very first item in the changelog which presumably you read before performing the upgrade.

Guess I didn’t fully understand the implications of that, thanks for pointing that out!
Are you aware of any way that Outlook 2007 or 2010 can be made to work with .44? If not, is there any way I can roll back to .43?
I just need to prepare my userbase for a change like this; I wish I could just force everyone to use webmail or Thunderbird but people are married to their damn Outlook clients.

Without breaking NextCloud? I don’t think so.

The only thing I can suggest is to educate your client base that they need to keep on top of software upgrades … 10 and 13 year old email clients? Sadly people want to cut corners whenever they can – and this is one example of the consequences. As I pointed out earlier, the depreciation was announced a year and a half ago … so your clients should be mad at their email client vendor for not warning them, not you.

Of course, they won’t see it that way.

I want to step in here…

Rolling back isn’t possible if you use any of the Nextcloud components because Nextcloud doesn’t support migrating database schemas backwards for earlier versions. If you aren’t using Nextcloud, it may be possible to simply install the previous version of Mail-in-a-Box (I think there are instructions in the README on GitHub for installing a particular version). But rolling back isn’t something the project supports, so your mileage may vary.

There’s nothing preventing you from making modifications to the box or the source code of Mail-in-a-Box to roll back just the parts of v0.44 that you need, and the TLS changes weren’t forced by anything else — nothing will break if you roll back just that part. The GitHub history of the changes should be fairly clear and would indicate what needs to be changed. (git revert ... would be one way to do it.) Just note that there are several git commits related to this because I already rolled back part of it prior to the release.

Thanks both of you for taking the time to field my questions.
I don’t think I want to attempt to roll back my current box; is there anything preventing me from using the exact same process followed to get from .3x to .4 (taking a backup, deploying a new VM on .43, restoring said backup)? That would allow me to give my userbase some additional notice.
I do understand that Office 2007 is well past EOL, but office 2010 is still supported by Microsoft through October. My users will push back if I try and force them to bump up their license before then!

Rebuilding the VM, installing .43, and restoring my backup (sans /home/user-data/owncloud) did the trick for now.

Alternatively until you can get your clients to upgrade, you can temporarily re-enable TLS1 and TLS1.1 connections on your server by modifying your /etc/postfix/main.cf file, as described here: