TLS error sending mail

[edvanleeuwen]

From one moment to another (without having changed anything), I am getting the following errors when sending mail from e.g. Outlook 2016:

2019-12-28 11:22:16 TLS error on connection from xxx.cable.dynamic.v4.ziggo.nl [xxx] (SSL_accept): error:20074002:BIO routines:file_ctrl:system lib
2019-12-28 11:22:16 TLS error on connection from xxx.cable.dynamic.v4.ziggo.nl [xxx] (SSL_accept): error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low

The CB ssl_configuration is set to intermediate. OS and CB are up to date.

Does anyone know what I can do about it?

 

[ikkeben]

@edvanleeuwen windows 7 or 8.0? or old MS server......

If so not updated or this part not done?

Enabling TLS 1.1 and 1.2 in Outlook on Windows 7

blogs.technet.microsoft.com

oja een goed uiteinde van 2019

 

[edvanleeuwen]

Nope, W10 updated to latest version. Linux/Centos 7 server with openssl 1.1.1b.

 

[ikkeben]

Nope, W10 updated to latest version. Linux/Centos 7 server with openssl 1.1.1b.

The openssl 1.1.1b version on centos7 is not default one or?

IF so which howto for installation / configuration you used?

But there should be a update somewhere ( Client or server) or a reboot / restart / reload / build... where some of those settings are active now

on internet.nl you can test some for mailserver.

You can try outlook on other port also with other settings and so.......... ( smtp port 587 starttls)

try with other device / computer and thunderbird as mailclient with another testaccount also , and then even with other isp connection.
Al this then if that works you can go back step for step to your computer / isp connection, other mail cleint and so on

Download Solving the TLS 1.0 Problem from Official Microsoft Download Center

This document presents guidance on rapidly identifying and removing Transport Layer Security (TLS) protocol version 1.0 dependencies in software built on top of Microsoft operating systems. It is intended to be used as a starting point for building a migration plan to a TLS 1.2+ network...

www.microsoft.com

 

[edvanleeuwen]

The openssl 1.1.1b version on centos7 is not default one or?

IF so which howto for installation / configuration you used?

How to install the latest version of OpenSSL on CentOS 7? - Linux Windows and android Tutorials

In this post, I will show you how to install the latest version of OpenSSL on CentOS 7. This time the installation will be from the source code.

www.osradar.com

Default one does not support TLS1.3.

But there should be a update somewhere ( Client or server) or a reboot / restart / reload / build... where some of those settings are active now

That was not the case, as far as I can see. That's the thing troubling me.

on internet.nl you can test some for mailserver.

Ok, that's something interesting. SSLLabs was A+, but I think that only covers websites. Thanks.

You can try outlook on other port also with other settings and so.......... ( smtp port 587 starttls)

 

[edvanleeuwen]

internet.nl gives my a number of problems with the TLS versions. Is this not covered by the defaults used in CustomBuild 2.0?

 

[ikkeben]

So you did change the openssl version yourself ?!
which howto for directadmin you used while as smtalk here in forum adviced more times against this while such problems could hapen then with much custom... and if not custom you could be 100% sure to have / become some problems!

I know tls 1.3 but therefore is centos8

CB i guess has config options centos7 only for older openssl default with centos 7

SSLLABS is port 443 only sofar i know! so no mail ports!

If you use letsencrypt for domain / mailserver then it could be a "sudden" because of renewed cert. this does some reloads . restarts...

 

[ikkeben]

You could however for websites a hmm workaround togehter with custom apache get tls 1.3 and openssl 1.1.1.x but then still it is and stay not recomended workarround , only for apache / port 443, to break nothing else. maybe if you stay with centos 7 prefered way BUT...

Some testing info also here for apache https://bettercrypto.org/#tools

 

[edvanleeuwen]

I am sorry. I am very gratefull that you are trying to help, but your sentences make no sense to me.

I have succesfully removed openssl-1.1.1b. See https://forum.directadmin.com/threads/revert-from-custom-openssl-to-standard.59928/

Now I am able to have the default settings again from CB. The only thing that is not working yet, is to have the exim settings reject lower tls versions.

 

[ditto]

Please note that the configuration option ssl_configuration=modern/intermediate/old does not yet apply to email: https://forum.directadmin.com/threads/disable-tls-1-1-as-default.59202/#post-304312

Here is a quote from @smtalk on the above link:

As mentioned in "opt_help" (CB documentation), the list is generated from https://ssl-config.mozilla.org. No, they don't only apply to apache. They're also applied to OpenLiteSpeed, LiteSpeed, Nginx, ProFTPd and Pure-FTPd. The list might be extended in the future.

 

[edvanleeuwen]

Thanks for this, @ditto . Do you have a pointer to information which contains changes to the exim config in order to disable the older TLS versions?

 

[ikkeben]

DOCU's

https://help.directadmin.com/item.php?id=573

dovecot has !include conf/ssl.conf

https://help.directadmin.com/item.php?id=598

and much more exim https://help.directadmin.com/index.php?topic=17 warning some are old docs!

Carefully look at exim.conf and files included by exim.conf. or if some custom files included for ssl / cipher
in EXIM.conf there are such below as you maybe need to change :

Default on http://files.directadmin.com/services/exim.conf

daemon_smtp_ports = 25 : 587 : 465
tls_on_connect_ports = 465

# SSL/TLS cert and key
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
tls_advertise_hosts = *
#auth_over_tls_hosts = *

If you use antispam spamblocker maybe you have to look there to.. http://files.directadmin.com/services/SpamBlocker/ https://help.directadmin.com/item.php?id=576

EDIT: Here below 2 i think what you needed https://help.directadmin.com/item.php?id=571 /etc/exim.variables.conf

Exim port 465 TLSv1 and TLSv1.1 not allowed

We have setup a new CentOS 8 server and we have noticed that exim doesn't allow TLSv1 and TLSv1.1 connections on port 465. On an older server (CentOS 7) with the same exim version and exim.conf version exim does allow TLSv1 and TLSv1.1 on port 465. On port 993 TLSv1 and TLSv1.1 works CentOS 8...

forum.directadmin.com

Here you can get some please take care of versions to fill: ( do it in custom) See this guide on how to change the exim.variables.conf settings via the exim.variables.conf.custom file.

Mozilla SSL Configuration Generator

An easy-to-use secure configuration generator for web, database, and mail software. Simply select the software you are using and receive a configuration file that is both safe and compatible.

ssl-config.mozilla.org

Cipherli.st - Strong ciphers for Apache, nginx and Lighttpd

Cipherli.st - Strong ciphers for Apache, nginx and Lighttpd

cipherli.st

 

[edvanleeuwen]

Ok, I figured it out:

Put

openssl_options=+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

in /etc/exim.variables.conf.custom

and rebuild using

/usr/local/directadmin/custombuild/build exim_conf

That's it.

 

[smtalk]

Please note that the configuration option ssl_configuration=modern/intermediate/old does not yet apply to email: https://forum.directadmin.com/threads/disable-tls-1-1-as-default.59202/#post-304312

Here is a quote from @smtalk on the above link:

Dovecot/Exim have been added to the list in CB 2.0 rev. 2404: https://forum.directadmin.com/threads/changelog.60248/#post-308542