The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dovecot SSL Errors in Freshly Provisioned WHM VPS

Discussion in 'Security' started by gn0s1s, Mar 9, 2016.

  1. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    This appears in Dovecot logfiles:
    Code:
    dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 3 Time(s)
     dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 2 Time(s)
    Apparently this is because the permissions in the following files are not set properly:
    • /etc/pki/dovecot/certs/dovecot.pem [Set to 644 on fresh install, needs to be 444]
    • /etc/pki/dovecot/private/dovecot.pem [Set to 600 on fresh install, needs to be 400]
    More info: CentOS • View topic - [RESOLVED] dovecot + imap + ssl

    This isn't necessarily a cPanel problem or issue, but I'd venture to say it's something many freshly-provisioned WHM/cPanel VPS/Servers will run into, so I thought I'd share what seems to be the solution.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    No, as far as I am aware nothing was modified. But it appears that the fix above has not worked in this instance, since I got this again today.
    Code:
    **Unmatched Entries**
     dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 2 Time(s)
     dovecot: master: Dovecot v2.2.21 (5345f22) starting up for imap, pop3 (core dumps disabled): 1 Time(s)
     dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 2 Time(s)
     
  4. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    Some more unmatched entries today. Would love to get to the bottom of why they keep recurring.

    Code:
    dovecot: pop3-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol: 3 Time(s)
    dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher: 42 Time(s)
    dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number: 20 Time(s)
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please post the output from the following commands:

    Code:
    grep openssl_options /etc/exim.conf
    grep ssl_protocols /etc/dovecot/dovecot.conf
    Thank you.
     
  6. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    Here it is.

    Code:
    root@obscured [~]# grep openssl_options /etc/exim.conf
    openssl_options = +no_sslv2 +no_sslv3
    root@obscured [~]# grep ssl_protocols /etc/dovecot/dovecot.conf
    ssl_protocols = !SSLv2 !SSLv3
    root@obscured [~]#
    So from what I can gather these are attempts by someone to connect using an old protocol that's turned off (and turned off with good reason, if my reading is right). Is this correct?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, you are using the default entries, and the messages suggest the person connecting is using an unsupported protocol. This can indicate the user attempting to make the connection needs to update their email client to the latest version.

    Thank you.
     
  8. gn0s1s

    gn0s1s Member

    Joined:
    Mar 2, 2016
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Cambodia
    cPanel Access Level:
    Root Administrator
    There are no sites set up on this VPS yet and in fact, no domain or hostname associated with it, so there should be no users trying to access it with any protocols. I'm just trying to figure out processes for dealing with intrusion attempts and false positives in security scans before I start moving actual sites over. It seems like someone is probably using a script to move through IP ranges and trying to exploit a POODLE vulnerability using these protocols. They're gonna get the banhammer. :)
     
    cPanelMichael likes this.
Loading...

Share This Page