The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

403 4.7.0 TLS handshake failed

Discussion in 'E-mail Discussions' started by dAvIdP___, Jun 13, 2016.

  1. dAvIdP___

    dAvIdP___ Registered

    Joined:
    Jun 13, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello, I hope you can help.

    I am receiving reports that a small number of external users are struggling to send emails to us. One user shared the bounce:

    Code:
    ----- The following addresses had permanent fatal errors -----
    <someusr@example.co.uk>
    (reason: 403 4.7.0 TLS handshake failed.)
    
    ----- Transcript of session follows -----
    <craig@example.co.uk>... Deferred
    Message could not be delivered for 3 days
    Message will be deleted from queue
    Reporting-MTA: dns; asmtp5.iomartmail.com
    Arrival-Date: Mon, 18 Apr 2016 10:44:26 +0100
    
    Final-Recipient: RFC822; craig@example.co.uk
    Action: failed
    Status: 4.4.7
    Diagnostic-Code: SMTP; 403 4.7.0 TLS handshake failed.
    Last-Attempt-Date: Thu, 21 Apr 2016 12:10:37 +0100
    
    
    I have checked the set up and tested the set up via checktls.com and it looks fine leaving my only guess that the sender is trying to use a weak SSL connection that is being blocked.

    I cannot find a way to actually test this though so I am struggling.

    What can I try?
     
    #1 dAvIdP___, Jun 13, 2016
    Last edited by a moderator: Jun 13, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Search for an example of one of these messages in /var/log/exim_mainlog and post the output here. Here's an example of a command you can use:

    Code:
    exigrep user@domain /var/log/exim_mainlog
    Ensure you use CODE tags and remove identifying information about the domain name and server.

    Thank you.
     
  3. dAvIdP___

    dAvIdP___ Registered

    Joined:
    Jun 13, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Thank you for your reply.

    I haven't got an entry for this specific email as it's older than my retained logs (I will ask for another email), however, while perusing the logs (thank you for the pointer) I noticed a large number of a very similar error:

    Code:
    TLS error on connection from asmtp3.iomartmail.com [62.128.201.159]:43782 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    TLS client disconnected cleanly (rejected our certificate?)
    Could it be that some mail servers are wanting to only securely talk on SSL3, or perhaps being told SSL3 will work, where the mail server actually will only talk on TLS 1.1+?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Have you made any custom changes to your SSL Cipher protocols or installed a custom SSL certificate for the Exim service?

    Thank you.
     
  5. dAvIdP___

    dAvIdP___ Registered

    Joined:
    Jun 13, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Yes to both for PCI.

    A UCC SSL for the exim service including the mail server dns name, and cipher changes as recommended.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The error message suggests the sender does not meet the SSL cipher requirements. Are you able to communicate with any of these senders to verify if they are using an outdated email client?

    Thank you.
     
Loading...

Share This Page