TLS error on connection issue

EneTar

Well-Known Member
Dec 19, 2015
156
12
18
Greece
cPanel Access Level
Root Administrator
Hi I'm aware of the latest incompatibilities of Microsoft Outllook and Windows 7 after the latest updates to EXIM protocols.and I wanted to ask if this error is related to this issue.

Code:
/var/log/exim_mainlog
TLS error on connection from mail.orb*****.gr [185.16.xxx.xxx]:49841 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
mail.orb*****.gr is NOT hosted in our servers. It is just a sender to one of our clients.

So what the above error means? How can I fix this?

Our current configuration is
Code:
WHM => Mailserver Configuration => SSL Cipher List = "default settings"
WHM => Mailserver Configuration => SSL Protocols = TLSv1.2
WHM => Exim Configuration => Options for OpenSSL = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 (default)
WHM => Exim Configuration => SSL/TLS Cipher Suite List = "default settings here as well"

Does the above configuration affect people who send emails from external servers to our domains?

We have informed all of our clients to switch to Win 10 + Outllook or apply the patch from Microsoft or use a different email client. So far so good. However there is no way to reach anyone who is supposed to contact our clients. It can be anyone in the world and of course we don't have access.
 
  • Like
Reactions: Neha Pariyar

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

The workaround on the following thread is available should you want to allow clients using older email clients send email:

Outlook 2016 Sending Email Fails After Cipher Suite Update

As far as the following question:

mail.orb*****.gr is NOT hosted in our servers. It is just a sender to one of our clients.

So what the above error means? How can I fix this?
Could you let us know the full output from /var/log/exim_mainlog for that message delivery attempt? EX:

Code:
exigrep external-domain /var/log/exim_mainlog
Thank you.
 

EneTar

Well-Known Member
Dec 19, 2015
156
12
18
Greece
cPanel Access Level
Root Administrator
Could you let us know the full output from /var/log/exim_mainlog for that message delivery attempt? EX:

Code:
exigrep external-domain /var/log/exim_mainlog
Thank you.
The output is a lot of lines repeating the same error:
Code:
2017-11-30 01:21:53 TLS error on connection from mail.orb*****.gr [185.16.xxx.xxx]:55261 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

2017-11-30 01:21:53 SMTP connection from mail.orb*****.gr [185.16.xxx.xxx]:55260 closed by EOF

Michael I'm trying to understand if the Exim configuration affect people who send emails from external servers to our domains? Until now we thought that only our clients have to adapt. But if they lose email messages from external domains then the only way to fix this is that we should adapt our servers.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

Here's the documentation found under the "tls_require_ciphers" section in "WHM >> Exim Configuration Manager >> Advanced Editor":

This option controls which ciphers can be used for incoming TLS connections. The smtp transport has an option of the same name for controlling outgoing connections. This option is expanded for each connection, so can be varied for different clients if required. The value of this option must be a list of permitted cipher suites. The OpenSSL and GnuTLS libraries handle cipher control in somewhat different ways. If GnuTLS is being used, the client controls the preference order of the available ciphers. Details are given in sections 41.4 and 41.5.
Thus, that option applies to incoming TLS connections. Does applying the workaround referenced in the thread linked in the earlier response solve the issue?

Thank you.
 

EneTar

Well-Known Member
Dec 19, 2015
156
12
18
Greece
cPanel Access Level
Root Administrator
Does applying the workaround referenced in the thread linked in the earlier response solve the issue?
Yes after applying the workaround in the linked thread that specific issue has been fixed. However I noticed a few errors like this since then All of them are related to Google:

Code:
...
2017-12-01 13:14:57 TLS error on connection from (vggp124.prod.google.com) [74.125.185.32]:34778 (SSL_accept): error:00000000:lib(0):func(0):reason(0)
2017-12-01 13:14:57 TLS client disconnected cleanly (rejected our certificate?)
2017-12-01 13:14:57 SMTP connection from (vggp124.prod.google.com) [74.125.185.32]:34778 closed by EOF
...
...
2017-12-01 13:14:57 TLS error on connection from (vggp124.prod.google.com) [74.125.185.32]:34778 (SSL_accept): error:00000000:lib(0):func(0):reason(0)
2017-12-01 13:14:57 TLS client disconnected cleanly (rejected our certificate?)
2017-12-01 13:14:57 SMTP connection from (vggp124.prod.google.com) [74.125.185.32]:34778 closed by EOF
2017-12-01 13:14:57 SMTP connection from [74.125.185.34]:33468 (TCP/IP connection count = 2)
2017-12-01 13:14:57 no host name found for IP address 74.125.185.34
2017-12-01 13:15:02 TLS error on connection from [2.84.180.184]:50966 (SSL_accept): error:00000000:lib(0):func(0):reason(0)
2017-12-01 13:15:02 TLS client disconnected cleanly (rejected our certificate?)
2017-12-01 13:15:18 SMTP connection from (vggp124.prod.google.com) [74.125.185.34]:33468 closed by QUIT
...

Thus, that option applies to incoming TLS connections.
So it affects not just our customers but everyone who is supposed to reach our customers, correct?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
2017-12-01 13:14:57 no host name found for IP address
This suggests the issue relates to a lack of RDNS setup for that IP address pointing to a valid hostname.

So it affects not just our customers but everyone who is supposed to reach our customers, correct?
I don't believe it would reject email in the manner you have described. That sounds more like an issue with a custom configuration (I've seen this reported from customers with old ASSP configurations). I encourage you to open a support ticket so we can take a closer look to see what's happening on your specific system.

Thank you.
 

carlitosfigueredo

Registered
Oct 16, 2019
1
0
1
PARAGUAY
cPanel Access Level
Root Administrator
The workaround on the following thread is available should you want to allow clients using older email clients send email:
Hi! Sorry for my bad english.

I have the same problem.
But I don't want to change my server's encryption settings so that other people can send emails, when it's best for them to update.

kalua.com.py is not hosted on my server.

This is: /var/log/cat exim_mainlog | grep 'kalua.com.py'

2019-10-22 11:12:36 SMTP connection from mail.kalua.com.py [200.1.202.22]:39739 closed by EOF
2019-10-22 11:56:49 TLS error on connection from mail.kalua.com.py [200.1.202.22]:35398 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2019-10-22 11:56:50 SMTP connection from mail.kalua.com.py [200.1.202.22]:35398 closed by EOF


What I can do?
Thanks!!