Lots of TLS errors: cannot receive mail from some servers

dagservice

Verified User
Joined
Aug 27, 2015
Messages
11
Good afternoon,

We're getting reports that we cannot receive e-mail from some senders. After investigation, the logs keep showing the following message for the failing domains:
Code:
TLS error on connection from sender-server.com [123.123.123.123] (SSL_accept): error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol
Searching via google, i found a thread suggesting that this may be due to some SSL versions not being accepted, but there's not solution listed there and it's for postfix. If i connect using
Code:
openssl s_client -starttls smtp -crlf -connect mail.myserver.com:587
, it does connect, but
Code:
dagservice@Monster:~$ openssl s_client -starttls smtp -crlf -connect mail.myserver.com:587 -ssl3
CONNECTED(00000003)
140220228961952:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:599:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 266 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1588593473
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
Same for example with -tls1

Relevant information:
Exim 4.93.0.4 running on ubuntu 16.04, all recent updates installed. Directadmin version 1.60.4.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,004
Location
Maastricht
DA does not work with postfix.
It's probably because TLS < 1.2 is not supported anymore by default.

Explained here and there is a workaround for it which also can be found here:

I don't know if you need this:

Best is to tell your customers to update their email clients to use TLS 1.2.

Again, the above is for Exim, DA does not use Postfix.
 

dagservice

Verified User
Joined
Aug 27, 2015
Messages
11
Thank you for your insights. I made a temporary fix by setting
Code:
tls_advertise_hosts = !12.34.56.78:!23.45.67.89:*
(fictional IP adresses inserted)

That should encourage the outdated servers to set up a plaintext connection to avoid issues, which appears to work.
 
Top