Dovecot SSL Errors in Freshly Provisioned WHM VPS
This appears in Dovecot logfiles:
Apparently this is because the permissions in the following files are not set properly: [LIST]/etc/pki/dovecot/certs/dovecot.pem [Set to 644 on fresh install, needs to be 444]
/etc/pki/dovecot/private/dovecot.pem [Set to 600 on fresh install, needs to be 400]
More info: CentOS " View topic - [RESOLVED] dovecot + imap + ssl
This isn't necessarily a cPanel problem or issue, but I'd venture to say it's something many freshly-provisioned WHM/cPanel VPS/Servers will run into, so I thought I'd share what seems to be the solution.
dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 3 Time(s)
dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 2 Time(s)Apparently this is because the permissions in the following files are not set properly: [LIST]
-
Hello :) Did you modify any of the SSL Cipher settings for Dovecot before noticing this error message? Thank you. 0 -
No, as far as I am aware nothing was modified. But it appears that the fix above has not worked in this instance, since I got this again today. **Unmatched Entries** dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 2 Time(s) dovecot: master: Dovecot v2.2.21 (5345f22) starting up for imap, pop3 (core dumps disabled): 1 Time(s) dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 2 Time(s)0 -
Some more unmatched entries today. Would love to get to the bottom of why they keep recurring. dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 3 Time(s) dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher: 42 Time(s) dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number: 20 Time(s)0 -
Please post the output from the following commands: grep openssl_options /etc/exim.conf grep ssl_protocols /etc/dovecot/dovecot.conf
Thank you.0 -
Please post the output from the following commands:
grep openssl_options /etc/exim.conf grep ssl_protocols /etc/dovecot/dovecot.conf
Here it is.root@obscured [~]# grep openssl_options /etc/exim.conf openssl_options = +no_sslv2 +no_sslv3 root@obscured [~]# grep ssl_protocols /etc/dovecot/dovecot.conf ssl_protocols = !SSLv2 !SSLv3 root@obscured [~]#
So from what I can gather these are attempts by someone to connect using an old protocol that's turned off (and turned off with good reason, if my reading is right). Is this correct?0 -
So from what I can gather these are attempts by someone to connect using an old protocol that's turned off (and turned off with good reason, if my reading is right). Is this correct?
Yes, you are using the default entries, and the messages suggest the person connecting is using an unsupported protocol. This can indicate the user attempting to make the connection needs to update their email client to the latest version. Thank you.0 -
Yes, you are using the default entries, and the messages suggest the person connecting is using an unsupported protocol. This can indicate the user attempting to make the connection needs to update their email client to the latest version.
There are no sites set up on this VPS yet and in fact, no domain or hostname associated with it, so there should be no users trying to access it with any protocols. I'm just trying to figure out processes for dealing with intrusion attempts and false positives in security scans before I start moving actual sites over. It seems like someone is probably using a script to move through IP ranges and trying to exploit a POODLE vulnerability using these protocols. They're gonna get the banhammer. :-)0
Please sign in to leave a comment.
Comments
7 comments