Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TLS error on connection issue

Discussion in 'E-mail Discussions' started by EneTar, Nov 29, 2017.

  1. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Hi I'm aware of the latest incompatibilities of Microsoft Outllook and Windows 7 after the latest updates to EXIM protocols.and I wanted to ask if this error is related to this issue.

    Code:
    /var/log/exim_mainlog
    TLS error on connection from mail.orb*****.gr [185.16.xxx.xxx]:49841 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    mail.orb*****.gr is NOT hosted in our servers. It is just a sender to one of our clients.

    So what the above error means? How can I fix this?

    Our current configuration is
    Code:
    WHM => Mailserver Configuration => SSL Cipher List = "default settings"
    WHM => Mailserver Configuration => SSL Protocols = TLSv1.2
    WHM => Exim Configuration => Options for OpenSSL = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 (default)
    WHM => Exim Configuration => SSL/TLS Cipher Suite List = "default settings here as well"

    Does the above configuration affect people who send emails from external servers to our domains?

    We have informed all of our clients to switch to Win 10 + Outllook or apply the patch from Microsoft or use a different email client. So far so good. However there is no way to reach anyone who is supposed to contact our clients. It can be anyone in the world and of course we don't have access.
     
    Neha Pariyar likes this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The workaround on the following thread is available should you want to allow clients using older email clients send email:

    Outlook 2016 Sending Email Fails After Cipher Suite Update

    As far as the following question:

    Could you let us know the full output from /var/log/exim_mainlog for that message delivery attempt? EX:

    Code:
    exigrep external-domain /var/log/exim_mainlog
    Thank you.
     
  3. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    The output is a lot of lines repeating the same error:
    Code:
    2017-11-30 01:21:53 TLS error on connection from mail.orb*****.gr [185.16.xxx.xxx]:55261 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    
    2017-11-30 01:21:53 SMTP connection from mail.orb*****.gr [185.16.xxx.xxx]:55260 closed by EOF

    Michael I'm trying to understand if the Exim configuration affect people who send emails from external servers to our domains? Until now we thought that only our clients have to adapt. But if they lose email messages from external domains then the only way to fix this is that we should adapt our servers.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's the documentation found under the "tls_require_ciphers" section in "WHM >> Exim Configuration Manager >> Advanced Editor":

    Thus, that option applies to incoming TLS connections. Does applying the workaround referenced in the thread linked in the earlier response solve the issue?

    Thank you.
     
  5. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    125
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Yes after applying the workaround in the linked thread that specific issue has been fixed. However I noticed a few errors like this since then All of them are related to Google:

    Code:
    ...
    2017-12-01 13:14:57 TLS error on connection from (vggp124.prod.google.com) [74.125.185.32]:34778 (SSL_accept): error:00000000:lib(0):func(0):reason(0)
    2017-12-01 13:14:57 TLS client disconnected cleanly (rejected our certificate?)
    2017-12-01 13:14:57 SMTP connection from (vggp124.prod.google.com) [74.125.185.32]:34778 closed by EOF
    ...
    ...
    2017-12-01 13:14:57 TLS error on connection from (vggp124.prod.google.com) [74.125.185.32]:34778 (SSL_accept): error:00000000:lib(0):func(0):reason(0)
    2017-12-01 13:14:57 TLS client disconnected cleanly (rejected our certificate?)
    2017-12-01 13:14:57 SMTP connection from (vggp124.prod.google.com) [74.125.185.32]:34778 closed by EOF
    2017-12-01 13:14:57 SMTP connection from [74.125.185.34]:33468 (TCP/IP connection count = 2)
    2017-12-01 13:14:57 no host name found for IP address 74.125.185.34
    2017-12-01 13:15:02 TLS error on connection from [2.84.180.184]:50966 (SSL_accept): error:00000000:lib(0):func(0):reason(0)
    2017-12-01 13:15:02 TLS client disconnected cleanly (rejected our certificate?)
    2017-12-01 13:15:18 SMTP connection from (vggp124.prod.google.com) [74.125.185.34]:33468 closed by QUIT
    ...
    

    So it affects not just our customers but everyone who is supposed to reach our customers, correct?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    This suggests the issue relates to a lack of RDNS setup for that IP address pointing to a valid hostname.

    I don't believe it would reject email in the manner you have described. That sounds more like an issue with a custom configuration (I've seen this reported from customers with old ASSP configurations). I encourage you to open a support ticket so we can take a closer look to see what's happening on your specific system.

    Thank you.
     
Loading...

Share This Page