Problem with TLS 1.2 and SMTP

[mosse.francisco]

Hi,
I am having a problem with a new DirectAdmin installation. Clients that use old Outlooks like 2003, 2007 etc can´t send emails

Sending' reported error (0x800CCC1A): 'Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for assistance.'

Inside /etc/exim.variables.conf.custom
I have

tls_require_ciphers =
openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
daemon_smtp_ports = 25 : 465 : 587 : 2525
tls_on_connect_ports = 465

In SSH when I run
openssl s_client -connect 127.0.0.1:465 -tls1_2

I receive this:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 188 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1753062294
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
root@da:/usr/local/directadmin/custombuild#


How can I fix it?

Thanks,
Francisco

 

[Active8]

I have client that still using outlook(office) 2007 with the latest DA (TLS 1.2 +1.3) so that should be not the reason.
Check the connection settings inside outlook e.g IMAP = inbound = port 993 SSL / outbound port 587 STARTTLS or port 465 SSL

 

[Richard G]

That wouldn't explain the local test error.

CONNECTED(00000003)
write:errno=104

I've searched for this one and it could be that SNI is not enabled correctly.

Check the /usr/local/directadmin/conf/directadmin.conf file and doublecheck that mail_sni=1 which it normally is.
A friend of mine had an odd issue too on a new server this week. If not, add the line and restart Directadmin.

Try rebuilding exim and dovecot anyway:

da build set eximconf yes
da build set dovecot yes
da build set dovecot_conf yes
da build exim
da build dovecot

See if it works afterwards.

I don't know if that is a smart line for older clients like Outlook 2003 and 2007.
We don't have that in there and we don't have issues with connecting by using settings like suggested by @Active8

tls_on_connect_ports = 465

If you want to remove this, remove it before you do the rebuilding.

 

[mosse.francisco]

Hi, finally my sysadmin created the port 2525 for non SSL connections.

 

[Namhost]

After upgrading to DA version 1.694 on various DA servers, we randomly find Exim SNI not working anymore on a few DA servers, and then we're forced to rebuild it with this to fix it:

da build set eximconf yes
da build set dovecot yes
da build set dovecot_conf yes
da build exim
da build dovecot

❯ openssl s_client -connect mail.xxx.com:465 -servername mail.xxx.com
CONNECTED(00000003)
40876E0B5E770000:error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1599:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 327 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And after rebuilding, it works again:

❯ openssl s_client -connect mail.xxx.com:465 -servername mail.xxx.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E8
verify return:1
depth=0 CN = *.xxx.com
verify return:1
---
Certificate chain
0 s:CN = *.xxx.com
i:C = US, O = Let's Encrypt, CN = E8
aKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Feb 4 08:29:16 2026 GMT; NotAfter: May 5 08:29:15 2026 GMT
1 s:C = US, O = Let's Encrypt, CN = E8
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
aKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---

Anyone else with this issue?