The Email Clients Experience Issues After Zimbra Update: Zimbra Daffodil 10.0.2, 9.0.0 Patch-34 & 8.8.15 Patch-41

Posted by

After patching Zimbra Daffodil to version 10.0.2, 9.0.0 Patch-34 & 8.8.15 Patch-41, some email clients like Outlook experienced access issues. This was due to updates made to the used OpenSSL. Considering that many users are still using older versions of email clients, I have decided to temporarily use weak ciphers. Then gradually upgrade the version of Outlook being used

Warning: Disabling FIPS and enabling weak ciphers is strongly not recommended. Use this workaround as a temporary solution. Please upgrade your email clients as soon as possible.

For this process, I followed the guidelines from the Zimbra forum.


# Method 1: Adding SECLEVEL=0 to zimbraReverseProxySSLCiphers

Get current configuration

zmprov gcf zimbraReverseProxySSLCiphers

Below is my current configuration


Add the text “:@SECLEVEL=0” at the end


Restart zimbra services

zmcontrol restart

# Method 2: Adding Configuration to the openssl.cnf File

Run as root. Disable FIPS provider

cd /opt/zimbra/common/etc/ssl
cp openssl-source.cnf openssl.cnf

Open openssl.cnf file

vi /opt/zimbra/common/etc/ssl/openssl.cnf

Add the following line at the bottom


ssl_conf = ssl_sect

system_default = system_default_sect

CipherString = DEFAULT:@SECLEVEL=0

Restart zimbra services

su - zimbra -c 'zmcontrol restart'

# Method 3: Replace OpenSSL

I manually compiled OpenSSL to support weak ciphers and 3DES.

Download OpenSSL that has been compiled from here: Please adjust with your OS. Save it on /opt folder

For example, I use Ubuntu 20.04

Run as Root. Disable FIPS Provider

cd /opt/zimbra/common/etc/ssl
cp openssl-source.cnf openssl.cnf

Backup the current libssl

mkdir /opt/zimbra/common/lib/backup-openssl/
cp /opt/zimbra/common/lib/ /opt/zimbra/common/lib/backup-openssl/`date +"%Y%m%d%H%M%S"`
cp /opt/zimbra/common/lib/ /opt/zimbra/common/lib/backup-openssl/`date +"%Y%m%d%H%M%S"`

Replace OpenSSL

cd /opt/
tar -xvf openssl309-ubuntu20.tgz
cd /opt/openssl309/lib64/
cp /opt/zimbra/common/lib/

Restart zimbra services

su - zimbra -c 'zmcontrol restart'

If there are issues when restarting the Zimbra, try copying the file as well and then restarting the service

cp /opt/zimbra/common/lib/

– Testing

Check if 3DES is already available.

openssl ciphers -v ALL | grep -i 3des

Test connection

openssl s_client -connect `hostname -f`:993 -tls1
openssl s_client -connect `hostname -f`:993 -tls1_1

Good luck 🙂

NEW! Patch for Zimbra Daffodil 10.0.2, 9.0.0 Patch-34 & 8.8.15 Patch-41
Zimbra 8.8.15 Patch-41 released, share your experience


  1. Thank you very, very much for sharing how you solved this problem. I did procedure 3 on Centos 7 and it enabled TLSv1 and TLSv1.1.

  2. Hi Iman,
    Can you provide some details to enable Zimbra Two-Factor Authentication (2FA)?
    I am using Release 8.8.15 FOSS edition and wanted to enable the 2FA on my server.

  3. I tried Method #1/#2 and could not get Outlook 2016 to work on Windows 7.

    I tried running
    openssl s_client -connect `hostname -f`:993 -tls1_1
    139891355219776:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 7 bytes and written 134 bytes
    Verification: OK

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Protocol : TLSv1.1
    Cipher : 0000
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1702969253
    Timeout : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.