Solved: The encryption method specified is not supported

  • Deovrat 

You stumbled upon this article after you failed to understand why you were not able to configure you Cpanel based webmail on your Outlook 2007 on probably a window machine.

I ran into a similar problem few days back . I installed a fresh setup of WHM and activated on of my doamin on it.

You will See on the following error message

Solution

Most likely you are using an older version of Outlook and Windows.
The issue is likely that the client connecting the server is attempting to use a version of SSL/TLS that is not supported by the servers current configuration. 

Version 68 of cPanel introduced new SSL ciphers to increase the security of the mail server; this enables TLS 1.2 and disables older SSL protocols such as TLS 1.0.
You can read more on this through our blog post here, TLS Changes in Version 68. https://blog.cpanel.com/tls-changes-in-version-68/

Please keep in mind this is not a defect or an issue with cPanel, but an incompatibility with outdated client software.  Updating the client software to support TLS 1.2 will help maintain overall security.

Now there can be two solutions:

  1. You upgrade your Windows to support TLS 1.0

To enable TLS 1.2 for Windows 7, you will need to patch your system to modify the registry.
Be sure your system is fully updated through the update center, and then download and install the patch from Microsoft’s website here: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

After that is installed, be sure to reboot your local computer as well to ensure the patch was applied. Once you’re back online, please try to connect to the cPanel Webmail server again.

2. Modify Cpanel compatible to accept TLS 1.0

This can be done by making changes to WHM.

To enable TLS 1.0 on the WHM/cPanel server for compatibility, go to
WHM >> Home >> Service Configuration >> Exim Configuration Manager > Basic Settings:

Ensure that “Allow weak SSL/TLS ciphers” is “Off”.

Change “SSL/TLS Cipher Suite List” to (this is one long line):
====
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
====

And change “Options for OpenSSL” to:
====
+no_sslv2 +no_sslv3
====

Then “Save” at the bottom of the page.

This will enable TLS 1.0, 1.1, and 1.2 and should provide compatibility with older mail servers and clients that only support TLS 1.0.

For Dovecot
WHM >> Home >> Service Configuration >> Mailserver Configuration:

Change “SSL Cipher List” to (this is one long line):
====
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
====

Change “SSL Protocols” to:
====
!SSLv2 !SSLv3
====

Once that is enabled, or you have fully patched your Windows install, Windows should be able to connect to the server again. 
Please keep in mind that while Option 2 will allow for greater compatibility with older software, it would be best to update the software ( operating system and outlook version ) as this also reduces security by allowing clients to connect to the server using older SSL/TLS versions.

Correct Ports for Outlook

Here I would suggest you to use only SSL enabled ports.

SSL enabled incoming POP: 995
SSL enabled incoming IMAP: 993
SSL enabled outgoing SMTP: 465

Non-SSL incoming POP: 110
Non-SSL incoming IMAP: 143
Non-SSL Outgoing SMTP: 587

Leave a Reply

Your email address will not be published. Required fields are marked *