Applicable to:
- Plesk for Linux
Symptoms
-
When connecting to a mail server over SSL via an email client (e.g. Outlook), connection fails:
Your server does not support the connection encryption type you have specified. Try changing the encryption method.
-
One of the following error messages appears in the
/var/log/mailloglogfile:postfix/smtpd[25460]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=203.0.113.2, lip=203.0.113.3, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Cause
TLSv1, SSLv3 or SSLv2 protocol support, which is required for old email clients/old software (e.g, WinHTTP-based applications on Windows 7) is disabled in Postfix/Dovecot configuration.
By default, SSL protocols SSLv2 and SSLv3 are disabled in Postfix/Dovecot configuration as these protocols are vulnerable to the POODLE attack.
Note: SSLv3 is removed from the core crypto libraries since RHEL 8. TLS 1.0 and 1.1 are disabled in all cryptographic policies in RHEL 9. See the documentation for details.
Resolution
The best practice is to use the latest available version of email clients that support connections over TLS 1.1 and 1.2.
For WinHTTP-based applications, refer to the Microsoft article.
If for some reason it is not possible, apply the following steps:
Note: This guide is intended for Plesk administrators. If you are a domain owner, please contact your service provider for assistance with email account configuration.
-
Connect to the Plesk server via SSH.
-
Enable support for TLSv1 protocol:
# plesk sbin pci_compliance_resolver --disable postfix
# plesk sbin sslmng --services postfix --protocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'
To find out whether TLSv1 version is enabled in Postfix or not, run the command:
# egrep "smtpd_tls_mandatory_protocols|smtpd_tls_protocols" /etc/postfix/main.cf
-
Restart Postfix:
# service postfix restart
-
Connect to the Plesk server via SSH.
-
Open the file
/etc/dovecot/conf.d/11-plesk-security-ssl.confin a text editor (for example, vi editor) and change the values ofssl_min_protocoland as follows:ssl_min_protocol=TLSv1
To find out whether TLSv1 version is enabled in Dovecot or not, run the command:
# egrep "ssl_min_protocol" /etc/dovecot/conf.d/11-plesk-security-ssl.conf
Note: If TLSv1 is not enabled it will not be shown in the output.
-
Restart Dovecot service:
# service dovecot restart
-
Connect to the Plesk server via SSH.
-
Open the files
/etc/courier-imap/pop3d-ssland/etc/courier-imap/imapd-sslin a text editor (for example, vi editor) and change the values ofTLS_PROTOCOLandTLS_STARTTLS_PROTOCOLas follows:# grep PROTOCOL /etc/courier-imap/pop3d-ssl | grep -v ^#
TLS_PROTOCOL=TLSv1+
TLS_STARTTLS_PROTOCOL=TLSv1+
# grep PROTOCOL /etc/courier-imap/imapd-ssl | grep -v ^#
TLS_PROTOCOL=TLSv1+
TLS_STARTTLS_PROTOCOL=TLSv1+ -
Restart Courier services:
# service courier-imaps restart
# service courier-pop3s restart
# service courier-imapd restart
# service courier-pop3d restart
# service xinetd restart
If an email client still does not allow to connect, enable the SSLv2 and SSLv3 protocols in Postfix configuration:
Warning: Such configuration is not recommended due to security vulnerabilities. Apply it at your own risk!
-
Connect to the Plesk server via SSH.
-
Open the file
/etc/postfix/main.cfin a text editor and set an empty value for "smtpd_tls_mandatory_protocols" and "smtpd_tls_protocols":# egrep "smtpd_tls_mandatory_protocols|smtpd_tls_protocols" /etc/postfix/main.cf
smtpd_tls_mandatory_protocols =
smtpd_tls_protocols = -
Restart Postfix:
# service postfix restart
Comments
5 comments
i've now a days a bug with dovecot:
"Jul 23 02:16:24 mail dovecot[10590]: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=77.179.108.18, lip=62.138.7.233, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<kQhQxBCrYt5Ns2wS>"
happend from alone after one update, it's the newest Version of onyx.
TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
can't renew the certificat under servertool -> SSL (Let's encrypt).
Hello Jan, error "SSL alert number 42" means that your certificate is not correct (might be expired, might be does not match server name you use in mail client: e.g. in mail client it is example.com and you have certificate for domain.com). You need to issue a new one or renew it under Tool & Settings > SSL/TLS support > Mail server
"You need to issue a new one or renew it under Tool & Settings > SSL/TLS support > Mail server"
i had done this with no success. the domain name ist mail.bludau-media.de for the dns PTR.
@Jan Bludau
Hi, according to https://ssl-tools.net/mailservers/, the certificate for the mail server is issued for bludau-media.de, whereas it is expected to be exactly for mail.bludau-media.de. The certificate issued for 'mail.bludau-media.de' should be selected under Tool & Settings > SSL/TLS support > Mail server.
How to add SSLv3 to dovecot to support old clients?
Please sign in to leave a comment.