Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSL errors receiving emails from other servers

Discussion in 'E-mail Discussion' started by Rogerio, Apr 23, 2018.

  1. Rogerio

    Rogerio Well-Known Member

    Joined:
    Sep 26, 2016
    Messages:
    47
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Sao Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    Hello,
    I'm receiving several SSL errors when other servers try to connect in my server to deliver messages... from other (external) domains to domains on my cPanel server.

    Any idea why? My cPanel install is default, no changes on ciphers and so...

    Thanks
    Code:
    2018-04-23 14:47:43 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xx]:60149 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-04-23 14:48:17 TLS error on connection from a2-smithers3-1.example.tld (smtp.example.tld) [200.147.xx.xx]:16796 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-04-23 14:48:39 TLS error on connection from br-nsps511.sp.mr.example.com (example.com) [200.160.xxx.xx]:43262 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-04-23 14:48:50 TLS error on connection from smtp-05h.idc2.example.com.br (smtp-05.idc2.example.com.br) [200.219.xxx.xx]:17951 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-04-23 14:49:30 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xxx]:52983 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-04-23 14:52:09 TLS error on connection from moda-111.example.net [144.217.xxx.xxx]:39493 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-04-23 14:52:09 TLS error on connection from moda-104.example.net [144.217.xxx.xxx]:47965 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-04-23 14:52:17 TLS error on connection from ([172.20.xx.x]) [177.79.xx.xxx]:52980 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-04-23 14:52:42 TLS error on connection from smtp-07c.idc2.example.com.br (smtp-07.idc2.example.com.br) [177.70.xxx.xx]:38103 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
    
     
    #1 Rogerio, Apr 23, 2018
    Last edited by a moderator: Nov 12, 2018 at 7:22 AM
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    This is occurring due to the change isn SSL protocols in v68 of cPanel. The SSLv2 and SSLv3 protocols were removed leaving TLSv1.2

    SSLv2 and SSLv3 are both vulnerable protocols - for more information please see the following:

    SSL 3.0 Protocol Vulnerability and POODLE Attack | US-CERT
    SSLv2 DROWN Attack


    The error message you're receiving
    Indicates that the client is attempting to connect using an unknown protocol SSLv2 or SSLv3

    To workaround this you would either need to allow the SSL protocols (not recommended) or request that the client begin connecting using a protocol that is secure.

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Rogerio

    Rogerio Well-Known Member

    Joined:
    Sep 26, 2016
    Messages:
    47
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Sao Paulo, Brazil
    cPanel Access Level:
    Root Administrator
    Hello Lauren,

    I understand about clients (users) sending emails using port 587, OutLook or similar, no problem.

    But these errors are from "servers", MX delivery, not from users. Servers sending email on TCP Port 25.

    Some servers on the log, like uhserver.com and mandic.com.br are big ISP with hundred of mail servers.
    Any additional info?

    Thanks
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,

    I understand the concern. The error does indicate that they're connecting to your server using SSLv2 or SSLv3 which your server is no longer accepting. You can enable these in Exim and Dovecot and begin accepting them once more by going to WHM>>Service Configuration>>Exim Configuration manager and WHM>>Service Configuration MailServer Configuration and modifying the SSL protocols
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Rogerio likes this.
  5. vadim2

    vadim2 Registered

    Joined:
    Monday
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Azerbaijan
    cPanel Access Level:
    Root Administrator
    I have a similar problem.
    Can you tell me how the line for adding SSL (SSLv2 or SSLv3) looks like?
    in exim (Service Configuration »Exim Configuration Manager) I have in "Options for OpenSSL": "+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default"
    in dovecot (Service Configuration »Mailserver Configuration) I have in "SSL Protocols" : "TLSv1.2"
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @vadim2

    I do not like to provide instructions on how to make yourself less secure but essentially you'll just need to remove the no_sslvX that you want to allow, then in SSL protocols add the one you want to allow.

    I don't believe this is a sustainable solution to the issue, ultimately you need to identify the software attempting to connect using these protocols and encourage your users to update.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. vadim2

    vadim2 Registered

    Joined:
    Monday
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Azerbaijan
    cPanel Access Level:
    Root Administrator
    thank you!
    Sorry! One question. Which SSL protocol need to be add for receive mail from this server? How do i know? Or maybe for avoid less secure on server there is a way to add this server to the white list?
    Code:
    2018-11-12 11:29:04 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1349 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-11-12 11:29:04 TLS error on connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1350 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    2018-11-12 11:29:04 SMTP connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1349 closed by EOF
    2018-11-12 11:29:04 SMTP connection from mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:1350 closed by EOF
    
     
  8. vadim2

    vadim2 Registered

    Joined:
    Monday
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Azerbaijan
    cPanel Access Level:
    Root Administrator
    I left only "+no_tlsv1" in Exim Configuration Manager ---> security "Options for OpenSSL"
    and SSL/TLS Cipher Suite List changed to the:
    Code:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    
    but there is still an error in the file exim_mainlog
    Code:
    2018-11-13 05:04:09 TLS error on connection from
    mail23552.example.com (080332.static.example.net) [222.255.xxx.xx]:2959 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    
     
    #8 vadim2, Nov 13, 2018 at 1:49 AM
    Last edited: Nov 13, 2018 at 2:04 AM
  9. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,517
    Likes Received:
    251
    Trophy Points:
    193
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @vadim2


    Did you add the SSLvX version that you want to allow in the SSL protocol box?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice