403 4.7.0 TLS handshake failed

dAvIdP___

Member
Jun 13, 2016
5
0
1
UK
cPanel Access Level
Root Administrator
Hello, I hope you can help.

I am receiving reports that a small number of external users are struggling to send emails to us. One user shared the bounce:

Code:
----- The following addresses had permanent fatal errors -----
<[email protected]>
(reason: 403 4.7.0 TLS handshake failed.)

----- Transcript of session follows -----
<[email protected]>... Deferred
Message could not be delivered for 3 days
Message will be deleted from queue
Reporting-MTA: dns; asmtp5.iomartmail.com
Arrival-Date: Mon, 18 Apr 2016 10:44:26 +0100

Final-Recipient: RFC822; [email protected]
Action: failed
Status: 4.4.7
Diagnostic-Code: SMTP; 403 4.7.0 TLS handshake failed.
Last-Attempt-Date: Thu, 21 Apr 2016 12:10:37 +0100
I have checked the set up and tested the set up via checktls.com and it looks fine leaving my only guess that the sender is trying to use a weak SSL connection that is being blocked.

I cannot find a way to actually test this though so I am struggling.

What can I try?
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Search for an example of one of these messages in /var/log/exim_mainlog and post the output here. Here's an example of a command you can use:

Code:
exigrep [email protected] /var/log/exim_mainlog
Ensure you use CODE tags and remove identifying information about the domain name and server.

Thank you.
 

dAvIdP___

Member
Jun 13, 2016
5
0
1
UK
cPanel Access Level
Root Administrator
Thank you for your reply.

I haven't got an entry for this specific email as it's older than my retained logs (I will ask for another email), however, while perusing the logs (thank you for the pointer) I noticed a large number of a very similar error:

Code:
TLS error on connection from asmtp3.iomartmail.com [62.128.201.159]:43782 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
TLS client disconnected cleanly (rejected our certificate?)
Could it be that some mail servers are wanting to only securely talk on SSL3, or perhaps being told SSL3 will work, where the mail server actually will only talk on TLS 1.1+?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Have you made any custom changes to your SSL Cipher protocols or installed a custom SSL certificate for the Exim service?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

The error message suggests the sender does not meet the SSL cipher requirements. Are you able to communicate with any of these senders to verify if they are using an outdated email client?

Thank you.