SSL errors receiving emails from other servers

[Rogerio]

Hello,
I'm receiving several SSL errors when other servers try to connect in my server to deliver messages... from other (external) domains to domains on my cPanel server.

Any idea why? My cPanel install is default, no changes on ciphers and so...

Thanks

2018-04-23 14:47:43 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xx]:60149 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:48:17 TLS error on connection from a2-smithers3-1.example.tld (smtp.example.tld) [200.147.xx.xx]:16796 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:48:39 TLS error on connection from br-nsps511.sp.mr.example.com (example.com) [200.160.xxx.xx]:43262 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:48:50 TLS error on connection from smtp-05h.idc2.example.com.br (smtp-05.idc2.example.com.br) [200.219.xxx.xx]:17951 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:49:30 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xxx]:52983 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:52:09 TLS error on connection from moda-111.example.net [144.217.xxx.xxx]:39493 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:52:09 TLS error on connection from moda-104.example.net [144.217.xxx.xxx]:47965 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:52:17 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xxx]:52980 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-04-23 14:52:42 TLS error on connection from smtp-07c.idc2.example.com.br (smtp-07.idc2.example.com.br) [177.70.xxx.xx]:38103 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

 

[cPanelLauren]

Hello,


This is occurring due to the change isn SSL protocols in v68 of cPanel. The SSLv2 and SSLv3 protocols were removed leaving TLSv1.2

SSLv2 and SSLv3 are both vulnerable protocols - for more information please see the following:

SSL 3.0 Protocol Vulnerability and POODLE Attack | US-CERT
SSLv2 DROWN Attack


The error message you're receiving

SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Indicates that the client is attempting to connect using an unknown protocol SSLv2 or SSLv3

To workaround this you would either need to allow the SSL protocols (not recommended) or request that the client begin connecting using a protocol that is secure.

Thank you,

 

[Rogerio]

Hello Lauren,

I understand about clients (users) sending emails using port 587, OutLook or similar, no problem.

But these errors are from "servers", MX delivery, not from users. Servers sending email on TCP Port 25.

Some servers on the log, like uhserver.com and mandic.com.br are big ISP with hundred of mail servers.
Any additional info?

Thanks

 

[cPanelLauren]

Hello,

I understand the concern. The error does indicate that they're connecting to your server using SSLv2 or SSLv3 which your server is no longer accepting. You can enable these in Exim and Dovecot and begin accepting them once more by going to WHM>>Service Configuration>>Exim Configuration manager and WHM>>Service Configuration MailServer Configuration and modifying the SSL protocols

 

[vadim2]

You can enable these in Exim and Dovecot and begin accepting them once more by going to WHM>>Service Configuration>>Exim Configuration manager and WHM>>Service Configuration MailServer Configuration and modifying the SSL protocols

I have a similar problem.
Can you tell me how the line for adding SSL (SSLv2 or SSLv3) looks like?
in exim (Service Configuration »Exim Configuration Manager) I have in "Options for OpenSSL": "+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default"
in dovecot (Service Configuration »Mailserver Configuration) I have in "SSL Protocols" : "TLSv1.2"

 

[cPanelLauren]

Hello @vadim2

I do not like to provide instructions on how to make yourself less secure but essentially you'll just need to remove the no_sslvX that you want to allow, then in SSL protocols add the one you want to allow.

I don't believe this is a sustainable solution to the issue, ultimately you need to identify the software attempting to connect using these protocols and encourage your users to update.

Thanks!

 

[vadim2]

thank you!

then in SSL protocols add the one you want to allow.

Sorry! One question. Which SSL protocol need to be add for receive mail from this server? How do i know? Or maybe for avoid less secure on server there is a way to add this server to the white list?

2018-11-12 11:29:04 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1349 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-11-12 11:29:04 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1350 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2018-11-12 11:29:04 SMTP connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1349 closed by EOF
2018-11-12 11:29:04 SMTP connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1350 closed by EOF

 

[vadim2]

I left only "+no_tlsv1" in Exim Configuration Manager ---> security "Options for OpenSSL"
and SSL/TLS Cipher Suite List changed to the:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

but there is still an error in the file exim_mainlog

2018-11-13 05:04:09 TLS error on connection from
mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:2959 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

 

[cPanelLauren]

Hello @vadim2


Did you add the SSLvX version that you want to allow in the SSL protocol box?