SSL errors receiving emails from other servers

Rogerio

Well-Known Member
Sep 26, 2016
78
15
8
Sao Paulo, Brazil
cPanel Access Level
Root Administrator
Hello,
I'm receiving several SSL errors when other servers try to connect in my server to deliver messages... from other (external) domains to domains on my cPanel server.

Any idea why? My cPanel install is default, no changes on ciphers and so...

Thanks
Code:
2018-04-23 14:47:43 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xx]:60149 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:48:17 TLS error on connection from a2-smithers3-1.example.tld (smtp.example.tld) [200.147.xx.xx]:16796 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:48:39 TLS error on connection from br-nsps511.sp.mr.example.com (example.com) [200.160.xxx.xx]:43262 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:48:50 TLS error on connection from smtp-05h.idc2.example.com.br (smtp-05.idc2.example.com.br) [200.219.xxx.xx]:17951 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:49:30 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xxx]:52983 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:52:09 TLS error on connection from moda-111.example.net [144.217.xxx.xxx]:39493 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:52:09 TLS error on connection from moda-104.example.net [144.217.xxx.xxx]:47965 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:52:17 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xxx]:52980 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:52:42 TLS error on connection from smtp-07c.idc2.example.com.br (smtp-07.idc2.example.com.br) [177.70.xxx.xx]:38103 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
 
Last edited by a moderator:

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hello,


This is occurring due to the change isn SSL protocols in v68 of cPanel. The SSLv2 and SSLv3 protocols were removed leaving TLSv1.2

SSLv2 and SSLv3 are both vulnerable protocols - for more information please see the following:

SSL 3.0 Protocol Vulnerability and POODLE Attack | US-CERT
SSLv2 DROWN Attack


The error message you're receiving
SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Indicates that the client is attempting to connect using an unknown protocol SSLv2 or SSLv3

To workaround this you would either need to allow the SSL protocols (not recommended) or request that the client begin connecting using a protocol that is secure.

Thank you,
 

Rogerio

Well-Known Member
Sep 26, 2016
78
15
8
Sao Paulo, Brazil
cPanel Access Level
Root Administrator
Hello Lauren,

I understand about clients (users) sending emails using port 587, OutLook or similar, no problem.

But these errors are from "servers", MX delivery, not from users. Servers sending email on TCP Port 25.

Some servers on the log, like uhserver.com and mandic.com.br are big ISP with hundred of mail servers.
Any additional info?

Thanks
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hello,

I understand the concern. The error does indicate that they're connecting to your server using SSLv2 or SSLv3 which your server is no longer accepting. You can enable these in Exim and Dovecot and begin accepting them once more by going to WHM>>Service Configuration>>Exim Configuration manager and WHM>>Service Configuration MailServer Configuration and modifying the SSL protocols
 
  • Like
Reactions: Rogerio

vadim2

Registered
Nov 12, 2018
3
0
1
Azerbaijan
cPanel Access Level
Root Administrator
You can enable these in Exim and Dovecot and begin accepting them once more by going to WHM>>Service Configuration>>Exim Configuration manager and WHM>>Service Configuration MailServer Configuration and modifying the SSL protocols
I have a similar problem.
Can you tell me how the line for adding SSL (SSLv2 or SSLv3) looks like?
in exim (Service Configuration »Exim Configuration Manager) I have in "Options for OpenSSL": "+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default"
in dovecot (Service Configuration »Mailserver Configuration) I have in "SSL Protocols" : "TLSv1.2"
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,272
1,296
363
Houston
Hello @vadim2

I do not like to provide instructions on how to make yourself less secure but essentially you'll just need to remove the no_sslvX that you want to allow, then in SSL protocols add the one you want to allow.

I don't believe this is a sustainable solution to the issue, ultimately you need to identify the software attempting to connect using these protocols and encourage your users to update.

Thanks!
 

vadim2

Registered
Nov 12, 2018
3
0
1
Azerbaijan
cPanel Access Level
Root Administrator
thank you!
then in SSL protocols add the one you want to allow.
Sorry! One question. Which SSL protocol need to be add for receive mail from this server? How do i know? Or maybe for avoid less secure on server there is a way to add this server to the white list?
Code:
2018-11-12 11:29:04 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1349 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-11-12 11:29:04 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1350 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-11-12 11:29:04 SMTP connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1349 closed by EOF
2018-11-12 11:29:04 SMTP connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1350 closed by EOF
 

vadim2

Registered
Nov 12, 2018
3
0
1
Azerbaijan
cPanel Access Level
Root Administrator
I left only "+no_tlsv1" in Exim Configuration Manager ---> security "Options for OpenSSL"
and SSL/TLS Cipher Suite List changed to the:
Code:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
but there is still an error in the file exim_mainlog
Code:
2018-11-13 05:04:09 TLS error on connection from
mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:2959 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
 
Last edited: