403 4.7.0 TLS handshake failed
Hello, I hope you can help.
I am receiving reports that a small number of external users are struggling to send emails to us. One user shared the bounce:
I have checked the set up and tested the set up via checktls.com and it looks fine leaving my only guess that the sender is trying to use a weak SSL connection that is being blocked. I cannot find a way to actually test this though so I am struggling. What can I try?
----- The following addresses had permanent fatal errors -----
(reason: 403 4.7.0 TLS handshake failed.)
----- Transcript of session follows -----
... Deferred
Message could not be delivered for 3 days
Message will be deleted from queue
Reporting-MTA: dns; asmtp5.iomartmail.com
Arrival-Date: Mon, 18 Apr 2016 10:44:26 +0100
Final-Recipient: RFC822; craig@example.co.uk
Action: failed
Status: 4.4.7
Diagnostic-Code: SMTP; 403 4.7.0 TLS handshake failed.
Last-Attempt-Date: Thu, 21 Apr 2016 12:10:37 +0100
I have checked the set up and tested the set up via checktls.com and it looks fine leaving my only guess that the sender is trying to use a weak SSL connection that is being blocked. I cannot find a way to actually test this though so I am struggling. What can I try?
-
Hello, Search for an example of one of these messages in /var/log/exim_mainlog and post the output here. Here's an example of a command you can use: exigrep user@domain /var/log/exim_mainlog
Ensure you use CODE tags and remove identifying information about the domain name and server. Thank you.0 -
Thank you for your reply. I haven't got an entry for this specific email as it's older than my retained logs (I will ask for another email), however, while perusing the logs (thank you for the pointer) I noticed a large number of a very similar error: TLS error on connection from asmtp3.iomartmail.com [62.128.201.159]:43782 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol TLS client disconnected cleanly (rejected our certificate?)
Could it be that some mail servers are wanting to only securely talk on SSL3, or perhaps being told SSL3 will work, where the mail server actually will only talk on TLS 1.1+?0 -
Hello, Have you made any custom changes to your SSL Cipher protocols or installed a custom SSL certificate for the Exim service? Thank you. 0 -
Hello, Have you made any custom changes to your SSL Cipher protocols or installed a custom SSL certificate for the Exim service? Thank you.
Yes to both for PCI. A UCC SSL for the exim service including the mail server dns name, and cipher changes as recommended.0 -
Hello, The error message suggests the sender does not meet the SSL cipher requirements. Are you able to communicate with any of these senders to verify if they are using an outdated email client? Thank you. 0
Please sign in to leave a comment.
Comments
5 comments