bad certificate errors incoming mail

[thegoatsman]

We are currently experiencing issues on a CentOS 7 server when recieving emails from some other providers.
In our logs we get the following errors:

2020-03-12 11:20:09 TLS error on connection from mx2.practicom.net [90.145.64.154] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2020-03-12 11:20:56 TLS error on connection from out1-35.antispamcloud.com [185.201.16.35] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2020-03-12 11:40:58 TLS error on connection from filter02-ipv6-out16.totaalholding.nl [2a02:40c0:1000:1000:0:2:ffff:16] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2020-03-12 11:40:58 TLS error on connection from filter02-out14.totaalholding.nl [185.56.145.229] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2020-03-12 12:17:54 TLS error on connection from julia.hostnet.nl [91.184.19.55] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

We have tried the following already:

• Rebuild Exim.
• Renew the certificates. (we use letsencrypt with mail sni)
• Enabled TLS v1 through v1.2
• Checked mail delivery from both sides with checktls and they both pass.

Has anyone come across this before and found a solution for this?

 

[smtalk]

Is "ssl_configuration" set to "old" ?

 

[thegoatsman]

The ssl_configuration is set to intermediate but with the following change:

a possible workaround for Exim:

touch /etc/exim.variables.conf.custom
echo "openssl_options = +no_sslv2 +no_sslv3" >> /etc/exim.variables.conf.custom
cd /usr/local/directadmin/custombuild/
./build update
./build exim_conf

 

[smtalk]

It might not have the ciphers needed in the list Please try "old", this should solve the problem.

 

[thegoatsman]

I will try that. Although I know a sending server want using the following key

SSLVersion:	TLSv1_2
SSLCipher:	ECDHE-RSA-AES128-GCM-SHA256

 

[thegoatsman]

Changing the setting to old did not resolve the issue sadly:

2020-03-12 14:18:24 TLS error on connection from filter02-ipv6-out16.totaalholding.nl [2a02:40c0:1000:1000:0:2:ffff:16] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2020-03-12 14:18:24 TLS error on connection from filter02-out14.totaalholding.nl [185.56.145.229] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

I am actually starting to wonder if the issue is coming from our side or the senders side.

 

[ditto]

Maybe you should try the intermediate setting without your custom workaround for exim?

 

[thegoatsman]

That also sadly doesnt seem to work.

2020-03-12 18:57:07 TLS error on connection from out4-5.antispamcloud.com [185.201.19.5] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

 

[erick85]

Has anyone managed to fix this problem? It concerns mailgun servers.

2022-05-11 07:39:09 TLS error on connection from m195-160.mailgun.net [161.38.195.160] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2022-05-11 07:41:45 TLS error on connection from m195-157.mailgun.net [161.38.195.157] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2022-05-11 07:43:58 TLS error on connection from m206-19.eu.mailgun.net [161.38.206.19] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2022-05-11 07:44:51 TLS error on connection from m195-160.mailgun.net [161.38.195.160] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
2022-05-11 07:47:11 TLS error on connection from m195-157.mailgun.net [161.38.195.157] (SSL_accept): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

 

[Richard G]

Seems somebody is still using SSLv3 instead of TLS.

You might want to try the solution given in #2.

 

[erick85]

@Richard G I tried all these solutions from the topic, none works.

 

[factor]

Has anyone managed to fix this problem? It concerns mailgun servers.

Are your servers set to the correct time and zone? Do you have ntp setup?

Seems mailgun is using old defunct protocol or you maybe have custom code and it doesn't have

'o:require-tls' => 'true',

 

[erick85]

Do you have ntp setup?

Of course

 

[Richard G]

Exact same error and exact same error number, seems bad certificate on Plesk. Did you see that one?
You can click here to read it, maybe it helps you.

 

[erick85]

@Richard G yes i googled it. There is no solution there.