exim error
- Thread starter akadi81
- Start date
After editing /etc/exim.variables.conf.custom like that
cd /usr/local/directadmin/custombuild
./build exim_conf
i got the following error:
TLS error on connection from XXXXX.XXXXXX.ro [217.156.52.81] (SSL_accept (TLSv1.2)): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
cd /usr/local/directadmin/custombuild
./build exim_conf
i got the following error:
TLS error on connection from XXXXX.XXXXXX.ro [217.156.52.81] (SSL_accept (TLSv1.2)): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Richard G
Verified User
What if you try and create a new certificate for your hostname?
First update letsencrypt, just to be sure.
Then remove or backup the exim.variables.conf.custom you made. Shouldn't be necessary normally.
After that, get a new certificate for your hostname:
cd /usr/local/directadmin/scripts
And just to be sure, run this command afterwards when you received the new certificate:
and restart Exim. See if it's fixed now.
If not, rebuild Exim, exim.conf, dovecot and dovecot.conf.
First update letsencrypt, just to be sure.
Code:
cd /usr/local/directadmin/custombuild
./build update
./build letsencryptThen remove or backup the exim.variables.conf.custom you made. Shouldn't be necessary normally.
After that, get a new certificate for your hostname:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single your.hostname.comAnd just to be sure, run this command afterwards when you received the new certificate:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confsand restart Exim. See if it's fixed now.
If not, rebuild Exim, exim.conf, dovecot and dovecot.conf.
Thank you for your response, but it's not working. I recompiled letsencrypt, lego, exim/dovecot and their confs and get new certificate for server hostname and domain. I am not able to get those emails.
I tested on CentOS Linux release 8.4.2105 and centos 7 also.
Using a cpanel server, the message arrived.
Last edited:
Richard G
Verified User
You also removed that custom exim.variables.conf.custom before trying?
Also check the setting in /usr/local/directadmin/custombuild/options.conf:
ssl_configuration=
normally that is ssl_configuration=intermediate
That might be the case.
Check the output of this command on your server:
nmap --script ssl-enum-ciphers -p 465 localhostIf nmap does not exist, you can install it via yum.
[root@server2 custombuild]# nmap --script ssl-enum-ciphers -p 465 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-11 21:53 EEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
rDNS record for 127.0.0.1: localhost.localdomain
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 5.94 seconds
[root@server2 custombuild]#
Starting Nmap 7.70 ( https://nmap.org ) at 2021-10-11 21:53 EEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
rDNS record for 127.0.0.1: localhost.localdomain
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 5.94 seconds
[root@server2 custombuild]#
But from other server:
[root@server1 ~]# nmap --script ssl-enum-ciphers -p 465 domain.com
Starting Nmap 6.40 ( http://nmap.org ) at 2021-10-11 21:57 EEST
Host is up (0.014s latency).
rDNS record for 167.86.74.40: server2.domain.com
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
|_ TLSv1.2: No supported ciphers found
Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds
[root@server1 ~]#
[root@server1 ~]# nmap --script ssl-enum-ciphers -p 465 domain.com
Starting Nmap 6.40 ( http://nmap.org ) at 2021-10-11 21:57 EEST
Host is up (0.014s latency).
rDNS record for 167.86.74.40: server2.domain.com
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
|_ TLSv1.2: No supported ciphers found
Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds
[root@server1 ~]#
Richard G
Verified User
Hmmz... that other server you used the domain.com instead of localhost.
And the first server is missing important ciphers.
Seems totally no SSL/TLS is supported for that domain on server 2, seems no certificate present for taht domain.
Normally on Centos 8 it would look like this, when using localhost.
You're missing the TLS_DHE_RSA on server 1. Not everybody can already comply with the ECDHE keys. So there are still people using DHE keys.
They should be present on the hostname, so when you test with localhost.
Maybe you can again create a new hostname certificate but then use it like this.
That 4096 shouldn't be needed anymore and added automatically but it seems it didn't.
And the first server is missing important ciphers.
Seems totally no SSL/TLS is supported for that domain on server 2, seems no certificate present for taht domain.
Normally on Centos 8 it would look like this, when using localhost.
Code:
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| compressors:
| NULLYou're missing the TLS_DHE_RSA on server 1. Not everybody can already comply with the ECDHE keys. So there are still people using DHE keys.
They should be present on the hostname, so when you test with localhost.
Maybe you can again create a new hostname certificate but then use it like this.
Code:
cd /usr/local/directadmin/script
./letsencrypt.sh request_single your.hostname.com 4096