SSL errors receiving emails from other servers

Rogerio

• April 23, 2018 12:53

Hello, I'm receiving several SSL errors when other servers try to connect in my server to deliver messages... from other (external) domains to domains on my cPanel server. Any idea why? My cPanel install is default, no changes on ciphers and so... Thanks 2018-04-23 14:47:43 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xx]:60149 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-04-23 14:48:17 TLS error on connection from a2-smithers3-1.example.tld (smtp.example.tld) [200.147.xx.xx]:16796 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-04-23 14:48:39 TLS error on connection from br-nsps511.sp.mr.example.com (example.com) [200.160.xxx.xx]:43262 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-04-23 14:48:50 TLS error on connection from smtp-05h.idc2.example.com.br (smtp-05.idc2.example.com.br) [200.219.xxx.xx]:17951 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-04-23 14:49:30 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xxx]:52983 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-04-23 14:52:09 TLS error on connection from moda-111.example.net [144.217.xxx.xxx]:39493 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-04-23 14:52:09 TLS error on connection from moda-104.example.net [144.217.xxx.xxx]:47965 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-04-23 14:52:17 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xxx]:52980 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-04-23 14:52:42 TLS error on connection from smtp-07c.idc2.example.com.br (smtp-07.idc2.example.com.br) [177.70.xxx.xx]:38103 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

• 

  cPanelLauren

  • April 23, 2018 18:01

  Hello, This is occurring due to the change isn SSL protocols in v68 of cPanel. The SSLv2 and SSLv3 protocols were removed leaving TLSv1.2 SSLv2 and SSLv3 are both vulnerable protocols - for more information please see the following: SSL 3.0 Protocol Vulnerability and POODLE Attack | US-CERT SSLv2 DROWN Attack The error message you're receiving [QUOTE]SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
  Indicates that the client is attempting to connect using an unknown protocol SSLv2 or SSLv3 To workaround this you would either need to allow the SSL protocols (not recommended) or request that the client begin connecting using a protocol that is secure. Thank you,

  0
• 

  Rogerio

  • April 23, 2018 18:20

  Hello Lauren, I understand about clients (users) sending emails using port 587, OutLook or similar, no problem. But these errors are from "servers", MX delivery, not from users. Servers sending email on TCP Port 25. Some servers on the log, like uhserver.com and mandic.com.br are big ISP with hundred of mail servers. Any additional info? Thanks

  0
• 

  cPanelLauren

  • April 23, 2018 18:31

  Hello, I understand the concern. The error does indicate that they're connecting to your server using SSLv2 or SSLv3 which your server is no longer accepting. You can enable these in Exim and Dovecot and begin accepting them once more by going to WHM>>Service Configuration>>Exim Configuration manager and WHM>>Service Configuration MailServer Configuration and modifying the SSL protocols

  0
• 

  vadim2

  • November 12, 2018 11:35

  You can enable these in Exim and Dovecot and begin accepting them once more by going to WHM>>Service Configuration>>Exim Configuration manager and WHM>>Service Configuration MailServer Configuration and modifying the SSL protocols

  
  I have a similar problem. Can you tell me how the line for adding SSL (SSLv2 or SSLv3) looks like? in exim (Service Configuration "Exim Configuration Manager) I have in "Options for OpenSSL": "+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default" in dovecot (Service Configuration "Mailserver Configuration) I have in "SSL Protocols" : "TLSv1.2"

  0
• 

  cPanelLauren

  • November 12, 2018 17:10

  Hello @vadim2 I do not like to provide instructions on how to make yourself less secure but essentially you'll just need to remove the no_sslvX that you want to allow, then in SSL protocols add the one you want to allow. I don't believe this is a sustainable solution to the issue, ultimately you need to identify the software attempting to connect using these protocols and encourage your users to update. Thanks!

  0
• 

  vadim2

  • November 13, 2018 02:31

  thank you!

  then in SSL protocols add the one you want to allow.

  
  Sorry! One question. Which SSL protocol need to be add for receive mail from this server? How do i know? Or maybe for avoid less secure on server there is a way to add this server to the white list? 2018-11-12 11:29:04 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1349 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-11-12 11:29:04 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1350 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2018-11-12 11:29:04 SMTP connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1349 closed by EOF 2018-11-12 11:29:04 SMTP connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1350 closed by EOF
  

  0
• 

  vadim2

  • November 13, 2018 06:49

  I left only "+no_tlsv1" in Exim Configuration Manager ---> security "Options for OpenSSL" and SSL/TLS Cipher Suite List changed to the: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  but there is still an error in the file exim_mainlog 2018-11-13 05:04:09 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:2959 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
  

  0
• 

  cPanelLauren

  • November 14, 2018 12:50

  Hello @vadim2 Did you add the SSLvX version that you want to allow in the SSL protocol box?

  0

Please sign in to leave a comment.