Outlook defaults to SSLv3 after windows update

Question

I have disabled SSLv3 protocols in my postfix configuration, and outlook still tries to connect and I am getting error: SSL_accept:failed in SSLv3 read client key exchange A

My main.cf

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtp_tls_security_level = may

Thunderbird works without a problem.

Any ideas?

Answer 1

You don't mention what you have done at the client. Depending on which version of Windows and which version of Outlook you are using there can be extra configuration required on the client to enable and use modern TLS.

For Windows 7 check Windows Update (or equivalent) for the TLS update. Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP

Be sure to read the article fully, as it is not sufficient to merely install the updates. You must also create new registry keys to actually enable the new protocols.

Enable TLS 1.1 and 1.2 on Windows 7 at the SChannel component level

Per the TLS-SSL Settings article, for TLS 1.1 and 1.2 to be enabled and negotiated on Windows 7, you MUST create the "DisabledByDefault" entry in the appropriate subkey (Client) and set it to "0". These subkeys will not be created in the registry since these protocols are disabled by default.