TLS error log flooding
Today the server is flooded with new TLS errors, and many customers are unable to send emails:
/var/log/exim_mainlog :
now some customers are able to send messages while others not. No change has been made and Exim options are by default. I wonder if some recent CPanel update with TLS or Exim ciphers it can be the cause of this serious problem. Please, somebody from the CPanel staff can explain how to solve this problem, or to restore the previous situation. Tickets support shows a warning it's very busy. This is very urgent!!! Thanks!
2017-12-01 22:20:34 [11213] TLS error on connection from [x.x.x.x]:51484 I=[x.x.x.x.x]:465 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2017-12-01 22:20:34 [11213] TLS client disconnected cleanly (rejected our certificate?)
now some customers are able to send messages while others not. No change has been made and Exim options are by default. I wonder if some recent CPanel update with TLS or Exim ciphers it can be the cause of this serious problem. Please, somebody from the CPanel staff can explain how to solve this problem, or to restore the previous situation. Tickets support shows a warning it's very busy. This is very urgent!!! Thanks!
-
solved by myself. As I have suspected the later CPanel update was the cause. Many people have mail software which is not recent and they are connecting with TLS 1. Solved changing the ciphers with: tls_require_ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256 :DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH -DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
and tsl options: openssl_options = +no_sslv2 +no_sslv30 -
Hello, I'm glad to see you were able to solve the issue. Note this topic is discussed on the following thread: Outlook 2016 Sending Email Fails After Cipher Suite Update Thank you. 0
Please sign in to leave a comment.
Comments
2 comments