Exim error: a TLS session is required, but the server did not offer TLS support

Symptoms

Attempting to send emails are failing with the following error:

a TLS session is required, but the server did not offer TLS support

Description 

cPanel's Exim includes support for SECDANE.

Exim SECDANE

SECDANE requires TLS if the remote email server has TLSA records defined for the SMTP ports. For example:

_25._tcp.mail.domain.com. 1200 IN TLSA 3 1 1 76BB66711DA 6433CA890
_25._tcp.domain.com.         1200 IN TLSA 3 1 1 6111A5698D2 3C89E09C3

If a domain or SMTP server has these records defined but doesn't offer TLS support, it will cause the mail connection to fail.

Workaround

The issue needs to be addressed in the remote SMTP server but if you must workaround this problem in cPanel the below steps will resolve the issue.

- To disable DANE follow the below steps:

• Add the following to the bottom of /usr/local/cpanel/etc/exim/replacecf/dkim/remote_smtp:

hosts_try_dane = ""

• Rebuild Exim configuration:

/scripts/buildeximconf

• Clear retry and then restart Exim:

/scripts/exim_tidydb
/scripts/restartsrv_exim

• Then add "/usr/local/cpanel/etc/exim/replacecf/dkim/remote_smtp" to the cPanel update exclude file "/etc/cpanelsync.exclude".

echo /usr/local/cpanel/etc/exim/replacecf/dkim/remote_smtp >> /etc/cpanelsync.exclude