TLS 1.2 Upgrade for Windows 7 not working for Outlook

First, in both cases, after the line "VXNlcm5hbWU6" (base64 for Username:)​, blank out the base64 gibberish on the next line from your post.  That's personal information and your mailbox name.  Don't give em half the key. 

Which version of Outlook?

One thing you can check, is go to the control panel -> mail.  Select the comcast account -> change.  On that popup go to More Settings.  On the Outgoing Server tab, make sure "My Outgoing (SMTP) server requires authentication" is checked.  Since your inbound mail works, it's probably fine to select "Same settings as my incoming mail server". 

It's not selected by default when an account is created, and maybe outlook turned it off on you if you changed something else, Outlook is a bit wonky that way, but could be one reason why you are getting dumped after the password line.  If you entered values manually there, try to enter them again, or try the "same as incoming" option. If either the username or password is wrong, you'll get dumped at that point too.

Yes, that is strange. I don't have an old outlook 2007 instance to try out, but:

Just for a quick sanity check, try to get to webmail using Xfinity's front door at https://xfinity.com  (email link there).  Verify the password you are using is working there, and you are getting to the right mailbox. While you are in there, click the gear icon in the top right to get into settings On the left side, in the "security" tab, make sure "allow 3rd party access" box is checked:  https://www.xfinity.com/support/articles/third-party-email-access Maybe that got reset or munged somehow. Maybe uncheck it and check it again.

That's probably not the problem if you can get inbound mail, but it can't hurt to check.

Try the other radio box for manually entering a username and password.  For the username, use your full Xfinity email address -- YourEmail(at)comcast.net, and try the same password you just used on webmail and run the test again.  The thought is, the inbound may be using your email address and not logging it that way, but maybe old outlook might be dropping the @comcast.net part for SMTP.  I remember something vaguely about a problem like that back in the day.  Your log says you were using just the username part before you edited it.

If I long in directly with openssl:  openssl s_client -connect smtp.comcast.net:587 -starttls smtp , full email is the username SMTP is looking for -- at least on my account.  I don't know if that's true globally, or if legacy users have a different format.

If that isn't it, then trying to contact @XfinityCSAEmail to poke at log files to see why it's dumping you may have to happen.  (perhaps they'll pick this up and send the private message link if I mention them)

@senpai46 Are you sure this configuration will enable Outlook 2007 to support TLSv1.2?  The TLSv1.2 spec was not published until 2008. 

https://www.xfinity.com/support/articles/tls

If you look at the article above, we're moving toward disabling the ability to use TLSv1.0 and TLSv1.1.  You will still be able to use the webmail (https://connect.xfinity.com) to send/receive email.

@XfinityAlex   and @senpai46  Welp, that's the thing.  Looking at the log in the original post, for the SMTP server:

​​2023.03.31 16:26:09 SMTP (smtp.comcast.net): [tx] STARTTLS​​
​​2023.03.31 16:26:09 SMTP (smtp.comcast.net): <rx> 220 2.0.0 Ready to start TLS​​
​​2023.03.31 16:26:09 SMTP (smtp.comcast.net): Securing connection​​
​​2023.03.31 16:26:09 SMTP (smtp.comcast.net): Connected to host​​
​​2023.03.31 16:26:09 SMTP (smtp.comcast.net): [tx] EHLO Systemax​​

​​2023.03.31 16:26:09 SMTP (smtp.comcast.net): <rx> 250-resomta-h1p-027911.sys.comcast.net hello [67.189.77.87], pleased to meet you​​

So right there, if TLS1_2 wasn't active, he would have gotten the boot right away.  Let's try it:

openssl s_client -connect smtp.comcast.net:587 -starttls smtp -no_tls1_2 
CONNECTED(00000003)
4047BADD667F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 302 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

# (kicked.  back to my command prompt)

OK Try to talk to it with telnet and mimic the log: 

telnet smtp.comcast.net 587
Trying 96.102.18.195...
Connected to smtp-p.gslb4.comcast.com.
Escape character is '^]'.
220 resomta-c1p-023266.sys.comcast.net resomta-c1p-023266.sys.comcast.net ESMTP server ready
ehlo mytestbox
250-resomta-c1p-023266.sys.comcast.net hello [69.55.224.30], pleased to meet you
250-HELP
250-SIZE 36700160
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-STARTTLS
250 OK
starttls
220 2.0.0 Ready to start TLS
ehlo mytestboxagain
Connection closed by foreign host.

# (kicked again -- of course -- that was telnet to port 587 without SSL, it shouldn't work)

OK, let's try openssl again with TLS1.2, but i'm going to supply garbage for a username and password: (you don't have tls1_3 enabled).

openssl s_client -connect smtp.comcast.net:587 -starttls smtp -tls1_2

250 OK
ehlo myboxagain
250-resomta-a1p-076784.sys.comcast.net hello [47.5.200.24], pleased to meet you
250-HELP
250-AUTH LOGIN PLAIN XOAUTH2
250-SIZE 36700160
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 OK
auth login
334 VXNlcm5hbWU6 (Username:)
bWVAYy5jb20K           (me(at)c.com)
334 UGFzc3dvcmQ6  (Password:)
YmFkcGFzc3dvcmQK (badpassword)
535 5.7.0 ...authentication rejected
closed

Now outlook didn't record 5.7.0 according to his log -- it just dumped him -- but we don't know how exactly logging works in outlook 2007 because it's closed source.  If I use my actual username(at)comcast.net/password I can authenticate.

So I guess the question is, can you look at the logs, or set password debug on dovecot and see if outlook is sending username(at)comcast.net, or is it sending just username. Also, what is the proper login format your SMTP server is expecting?  Is the same globally?  mailbox(at)comcast.net, or does it vary depending on legacy clients?

As we march toward this disabling of TLSv1.0 and TLSv1.1, we've created an exempted set of UIDs for using lower/deprecated versions of TLS.  Those will go away in the coming weeks.  If your name is not currently on that list, you will not be able to send using those deprecated versions. If I look at the username associated with @senpai46 's account, they appear to be hitting that restriction.  That's why I asked about Outlook 2007 and TLSv1.2.

I see https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

But I don't know that this will affect Outlook 2007 in any useful way.

I appreciate everyone's help. Here are a few more details.

First, I am using Outlook because I have more than one email account not from Comcast. I prefer to get my email in one place, especially where I can apply rules and visual and audible alerts to notify me. That is why I prefer not to use the Webmail for Comcast. My other email account has both TLS 1.1 and 1.2 enabled. I am not sure which one my Outlook is using, but it works ok.

Second, I did apply the upgrade from the Microsoft article @XfinityAlex referenced. Specifically, "MicrosoftEasyFix51044.msi" and "windows6.1-kb3140245-x64_5b067ffb69a94a6e5f9da89ce88c658e52a0dec0.msu" I verified all of the registry key values reverenced in the article. They are set to allow both TLS1.1 and TLS 1.2.

Third. I did create a trace log test two days before applying the patches of the cutoff of April 1st. It appeared that TLS 1.1 was disable before April 1st. See the trace log below. I verified this with Microsoft's online tests at Microsoft Remote Connectivity Analyzer  Trace log tests from March 31 all appear as shown in the first message.

I would really like to know what the mail server end is seeing. Is there anyway we can test this?

mailcomcastnet-Outgoing-03_30_2023-22_38_28_991.log

2023.03.30 22:38:28 SMTP (smtp.comcast.net): Port: 587, Secure: TLS, SPA: no
2023.03.30 22:38:28 SMTP (smtp.comcast.net): Finding host
2023.03.30 22:38:29 SMTP (smtp.comcast.net): Connected to host
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 220 resomta-c1p-023810.sys.comcast.net resomta-c1p-023810.sys.comcast.net ESMTP server ready
2023.03.30 22:38:29 SMTP (smtp.comcast.net): [tx] EHLO Systemax
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-resomta-c1p-023810.sys.comcast.net hello [67.189.77.87], pleased to meet you
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-HELP
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-SIZE 36700160
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-ENHANCEDSTATUSCODES
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-8BITMIME
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-STARTTLS
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250 OK
2023.03.30 22:38:29 SMTP (smtp.comcast.net): Securing connection
2023.03.30 22:38:29 SMTP (smtp.comcast.net): [tx] STARTTLS
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 220 2.0.0 Ready to start TLS
2023.03.30 22:38:29 SMTP (smtp.comcast.net): Securing connection
2023.03.30 22:38:29 SMTP (smtp.comcast.net): Connected to host
2023.03.30 22:38:29 SMTP (smtp.comcast.net): [tx] EHLO Systemax
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-resomta-c1p-023810.sys.comcast.net hello [67.189.77.87], pleased to meet you
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-HELP
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-AUTH LOGIN PLAIN XOAUTH2
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-SIZE 36700160
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-ENHANCEDSTATUSCODES
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250-8BITMIME
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 250 OK
2023.03.30 22:38:29 SMTP (smtp.comcast.net): Authorizing to server
2023.03.30 22:38:29 SMTP (smtp.comcast.net): [tx] AUTH LOGIN
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 334 VXNlcm5hbWU6
2023.03.30 22:38:29 SMTP (smtp.comcast.net): [tx] *******************
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 334 UGFzc3dvcmQ6
2023.03.30 22:38:29 SMTP (smtp.comcast.net): [tx] *****
2023.03.30 22:38:29 SMTP (smtp.comcast.net): <rx> 535 5.7.0 TLSv1.2 or higher is required.  See https://www.xfinity.com/TLS
2023.03.30 22:38:29 SMTP (smtp.comcast.net): Retrying authorization
2023.03.30 22:38:31 SMTP (smtp.comcast.net): Finding host
2023.03.30 22:38:31 SMTP (smtp.comcast.net): Connected to host
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 220 resomta-c1p-022589.sys.comcast.net resomta-c1p-022589.sys.comcast.net ESMTP server ready
2023.03.30 22:38:34 SMTP (smtp.comcast.net): [tx] EHLO Systemax
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 250-resomta-c1p-022589.sys.comcast.net hello [67.189.77.87], pleased to meet you
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 250-HELP
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 250-SIZE 36700160
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 250-ENHANCEDSTATUSCODES
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 250-8BITMIME
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 250-STARTTLS
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 250 OK
2023.03.30 22:38:34 SMTP (smtp.comcast.net): Securing connection
2023.03.30 22:38:34 SMTP (smtp.comcast.net): [tx] STARTTLS
2023.03.30 22:38:34 SMTP (smtp.comcast.net): <rx> 220 2.0.0 Ready to start TLS
2023.03.30 22:38:34 SMTP (smtp.comcast.net): Securing connection
2023.03.30 22:38:35 SMTP (smtp.comcast.net): Connected to host
2023.03.30 22:38:35 SMTP (smtp.comcast.net): [tx] EHLO Systemax
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 250-resomta-c1p-022589.sys.comcast.net hello [67.189.77.87], pleased to meet you
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 250-HELP
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 250-AUTH LOGIN PLAIN XOAUTH2
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 250-SIZE 36700160
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 250-ENHANCEDSTATUSCODES
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 250-8BITMIME
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 250 OK
2023.03.30 22:38:35 SMTP (smtp.comcast.net): Authorizing to server
2023.03.30 22:38:35 SMTP (smtp.comcast.net): [tx] AUTH LOGIN
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 334 VXNlcm5hbWU6
2023.03.30 22:38:35 SMTP (smtp.comcast.net): [tx] *******************
2023.03.30 22:38:35 SMTP (smtp.comcast.net): <rx> 334 UGFzc3dvcmQ6
2023.03.30 22:38:35 SMTP (smtp.comcast.net): [tx] *****
2023.03.30 22:38:35 SMTP (smtp.comcast.net): Disconnected from host

That's another potential problem.  On any gear I run, I don't allow renegotiation for security protocols (or tls 1.0/1.1 in the first place).  That might not be working if you did the initial connect, then changed to TLS 1.2.  

There really shouldn't be a need to keep TLS 1.0/1.1 around anyway these days.  Even most web browsers have discontinued it.  From @XfinityAlex 's link:

the reg key should be: 

Have you tried changing the SMTP login from just "username" to "mailboxName(at)comcast.net"?  What should that login be?  Your mailbox name.  How do you find that?  https://idm.xfinity.com/myaccount/lookup?execution=e1s1

*Note:  I'm using (at) for the @ symbol because the bot flags email addresses and will mark the post private if I do not. 

The other thing is windows 7 is a bit sketch these days.  If you really need it for an application, fine, but it's a pretty big risk for email (lecture over). 

The MS Analyzer is seeing the lack of exemption I talked about earlier.  We currently allow you to negotiate with TLSv1/v1.1, but if you're not exempted, you cannot continue to send the message.  In the coming weeks, the ability to negotiate those older versions of TLS will go away completely.

I'd suggest trying the key that flatlander mentioned, mostly because unless you really need it, you should be using TLSv1.2 as your lowest option.

(And I wasn't trying to suggest there's anything wrong with using a third-party client)

Here is the results of the suggested changes. While I did get different results none of them were successful. Got any additional ideas? I really appreciate all your help.

Test 1: Changing <user id> to <user id>@comcast.net without changing registy keys resulted in additional trace log info from the point where it stopped in the original trace log. It appeared to retry and then disconnected at the same point again.

.

.

.

2023.04.04 14:00:50 SMTP (smtp.comcast.net): <rx> 535 5.7.0 TLSv1.2 or higher is required.  See https://www.xfinity.com/TLS
2023.04.04 14:00:50 SMTP (smtp.comcast.net): Retrying authorization
2023.04.04 14:00:53 SMTP (smtp.comcast.net): Finding host
2023.04.04 14:00:53 SMTP (smtp.comcast.net): Connected to host
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 220 resomta-c1p-022590.sys.comcast.net resomta-c1p-022590.sys.comcast.net ESMTP server ready
2023.04.04 14:00:53 SMTP (smtp.comcast.net): [tx] EHLO Systemax
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 250-resomta-c1p-022590.sys.comcast.net hello [67.189.77.87], pleased to meet you
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 250-HELP
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 250-SIZE 36700160
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 250-ENHANCEDSTATUSCODES
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 250-8BITMIME
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 250-STARTTLS
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 250 OK
2023.04.04 14:00:53 SMTP (smtp.comcast.net): Securing connection
2023.04.04 14:00:53 SMTP (smtp.comcast.net): [tx] STARTTLS
2023.04.04 14:00:53 SMTP (smtp.comcast.net): <rx> 220 2.0.0 Ready to start TLS
2023.04.04 14:00:53 SMTP (smtp.comcast.net): Securing connection
2023.04.04 14:00:54 SMTP (smtp.comcast.net): Connected to host
2023.04.04 14:00:54 SMTP (smtp.comcast.net): [tx] EHLO Systemax
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 250-resomta-c1p-022590.sys.comcast.net hello [67.189.77.87], pleased to meet you
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 250-HELP
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 250-AUTH LOGIN PLAIN XOAUTH2
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 250-SIZE 36700160
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 250-ENHANCEDSTATUSCODES
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 250-8BITMIME
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 250 OK
2023.04.04 14:00:54 SMTP (smtp.comcast.net): Authorizing to server
2023.04.04 14:00:54 SMTP (smtp.comcast.net): [tx] AUTH LOGIN
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 334 VXNlcm5hbWU6
2023.04.04 14:00:54 SMTP (smtp.comcast.net): [tx] *****************
2023.04.04 14:00:54 SMTP (smtp.comcast.net): <rx> 334 UGFzc3dvcmQ6
2023.04.04 14:00:54 SMTP (smtp.comcast.net): [tx] *****
2023.04.04 14:00:54 SMTP (smtp.comcast.net): Disconnected from host

Test 2: Changing the following registry keys as shown below to allow only TLS 1.2 along with the <user id> in Test 1 resulted in the original shorten trace log. I also verified that the SChannel key was set properly for TLS 1.2.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp   0x00000A00 >> 0x00000800
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp  0x00000A00 >> 0x00000800

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  DisabledByDefault =  0x00000000

Unfortunate. 

If there really isn't another reason why you're married to windows 7, and it's an i386 arch box that won't run a windows 10, or lacks the resources for it, run an i386 version of Linux on your orphaned hardware.  At least you'll be current on security updates/libraries on the base box. If the registry is kind of jacked on it, you probably don't really want to have anything important on it anyway.

You can't use new Ubuntu on i386, but there's other disros out there like openSUSE.  PlayOnLinux to emulate MS-Office perhaps if you don't care for openoffice?: https://itsfoss.com/use-microsoft-office-linux/

@senpai46 Just to see if Win7 is supporting TLSv1.2 at all, would you be willing to try Thunderbird on your system?  Configure the accounts for IMAP so that no messages are downloaded, etc.

@senpai46 

Is your Win7 machine able to upgrade to Win10 and then maybe to Win11?  Or maybe just go from Win7 to Win11 if your machine meets the requirements.

https://www.stellarinfo.com/article/directly-upgrade-windows-7-to-windows-11.php