TLS error on connection issue
Hi I'm aware of the latest incompatibilities of Microsoft Outllook and Windows 7 after the latest updates to EXIM protocols.and I wanted to ask if this error is related to this issue.
mail.orb*****.gr is NOT hosted in our servers. It is just a sender to one of our clients. So what the above error means? How can I fix this? Our current configuration is
Does the above configuration affect people who send emails from external servers to our domains? We have informed all of our clients to switch to Win 10 + Outllook or apply the patch from Microsoft or use a different email client. So far so good. However there is no way to reach anyone who is supposed to contact our clients. It can be anyone in the world and of course we don't have access.
/var/log/exim_mainlog
TLS error on connection from mail.orb*****.gr [185.16.xxx.xxx]:49841 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocolmail.orb*****.gr is NOT hosted in our servers. It is just a sender to one of our clients. So what the above error means? How can I fix this? Our current configuration is
WHM => Mailserver Configuration => SSL Cipher List = "default settings"
WHM => Mailserver Configuration => SSL Protocols = TLSv1.2
WHM => Exim Configuration => Options for OpenSSL = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 (default)
WHM => Exim Configuration => SSL/TLS Cipher Suite List = "default settings here as well"Does the above configuration affect people who send emails from external servers to our domains? We have informed all of our clients to switch to Win 10 + Outllook or apply the patch from Microsoft or use a different email client. So far so good. However there is no way to reach anyone who is supposed to contact our clients. It can be anyone in the world and of course we don't have access.
-
Hello, The workaround on the following thread is available should you want to allow clients using older email clients send email: Outlook 2016 Sending Email Fails After Cipher Suite Update As far as the following question: mail.orb*****.gr is NOT hosted in our servers. It is just a sender to one of our clients. So what the above error means? How can I fix this?
Could you let us know the full output from /var/log/exim_mainlog for that message delivery attempt? EX:exigrep external-domain /var/log/exim_mainlog
Thank you.0 -
Could you let us know the full output from /var/log/exim_mainlog for that message delivery attempt? EX:
exigrep external-domain /var/log/exim_mainlog
Thank you.
The output is a lot of lines repeating the same error:2017-11-30 01:21:53 TLS error on connection from mail.orb*****.gr [185.16.xxx.xxx]:55261 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2017-11-30 01:21:53 SMTP connection from mail.orb*****.gr [185.16.xxx.xxx]:55260 closed by EOF
Michael I'm trying to understand if the Exim configuration affect people who send emails from external servers to our domains? Until now we thought that only our clients have to adapt. But if they lose email messages from external domains then the only way to fix this is that we should adapt our servers.0 -
Hello, Here's the documentation found under the "tls_require_ciphers" section in "WHM >> Exim Configuration Manager >> Advanced Editor": This option controls which ciphers can be used for incoming TLS connections. The smtp transport has an option of the same name for controlling outgoing connections. This option is expanded for each connection, so can be varied for different clients if required. The value of this option must be a list of permitted cipher suites. The OpenSSL and GnuTLS libraries handle cipher control in somewhat different ways. If GnuTLS is being used, the client controls the preference order of the available ciphers. Details are given in sections 41.4 and 41.5.
Thus, that option applies to incoming TLS connections. Does applying the workaround referenced in the thread linked in the earlier response solve the issue? Thank you.0 -
Does applying the workaround referenced in the thread linked in the earlier response solve the issue?
Yes after applying the workaround in the linked thread that specific issue has been fixed. However I noticed a few errors like this since then All of them are related to Google:... 2017-12-01 13:14:57 TLS error on connection from (vggp124.prod.google.com) [74.125.185.32]:34778 (SSL_accept): error:00000000:lib(0):func(0):reason(0) 2017-12-01 13:14:57 TLS client disconnected cleanly (rejected our certificate?) 2017-12-01 13:14:57 SMTP connection from (vggp124.prod.google.com) [74.125.185.32]:34778 closed by EOF ... ... 2017-12-01 13:14:57 TLS error on connection from (vggp124.prod.google.com) [74.125.185.32]:34778 (SSL_accept): error:00000000:lib(0):func(0):reason(0) 2017-12-01 13:14:57 TLS client disconnected cleanly (rejected our certificate?) 2017-12-01 13:14:57 SMTP connection from (vggp124.prod.google.com) [74.125.185.32]:34778 closed by EOF 2017-12-01 13:14:57 SMTP connection from [74.125.185.34]:33468 (TCP/IP connection count = 2) 2017-12-01 13:14:57 no host name found for IP address 74.125.185.34 2017-12-01 13:15:02 TLS error on connection from [2.84.180.184]:50966 (SSL_accept): error:00000000:lib(0):func(0):reason(0) 2017-12-01 13:15:02 TLS client disconnected cleanly (rejected our certificate?) 2017-12-01 13:15:18 SMTP connection from (vggp124.prod.google.com) [74.125.185.34]:33468 closed by QUIT ...
Thus, that option applies to incoming TLS connections.
So it affects not just our customers but everyone who is supposed to reach our customers, correct?0 -
-12-01 13:14:57 no host name found for IP address
This suggests the issue relates to a lack of RDNS setup for that IP address pointing to a valid hostname.So it affects not just our customers but everyone who is supposed to reach our customers, correct?
I don't believe it would reject email in the manner you have described. That sounds more like an issue with a custom configuration (I've seen this reported from customers with old ASSP configurations). I encourage you to open a support ticket so we can take a closer look to see what's happening on your specific system. Thank you.0 -
The workaround on the following thread is available should you want to allow clients using older email clients send email:
Hi! Sorry for my bad english. I have the same problem. But I don't want to change my server's encryption settings so that other people can send emails, when it's best for them to update. kalua.com.py is not hosted on my server. This is: /var/log/cat exim_mainlog | grep 'kalua.com.py' 2019-10-22 11:12:36 SMTP connection from mail.kalua.com.py [200.1.202.22]:39739 closed by EOF 2019-10-22 11:56:49 TLS error on connection from mail.kalua.com.py [200.1.202.22]:35398 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 2019-10-22 11:56:50 SMTP connection from mail.kalua.com.py [200.1.202.22]:35398 closed by EOF What I can do? Thanks!!0
Please sign in to leave a comment.
Comments
6 comments