Unable to connect to SMTP server using port 465: warning: Invalid TLS protocol list

Created:

2017-02-21 21:44:59 UTC

Modified:

2017-08-08 13:42:38 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Unable to connect to SMTP server using port 465: warning: Invalid TLS protocol list

Applicable to:

  • Plesk Onyx for Linux

Symptoms

  • Unable to connect to the SMTP server using port 465 using telnet or openssl utility:

    # telnet mail.example.com 465
    Trying 203.0.113.2...
    Connected to mail.example.com.
    Escape character is '^]'.
    Connection closed by foreign host.

    # openssl s_client -crlf -connect mail.example.com:465
    CONNECTED(00000003)
    write:errno=104
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 305 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1487704904
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
    ---
  • The following warnings could be found in the /var/log/maillog file ( /var/log/mail.log on Debian and Ubuntu):

    postfix/smtpd[901935]: warning: Wrapper-mode request dropped from external-mail.com[203.0.113.3] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
    postfix/smtpd[901935]: warning: Invalid TLS protocol list "TLSv1 TLSv1.1 TLSv1.2": disabling TLS support
  • Postfix is used as a mail server. Its version is less then 2.10 and not the latest from the releases 2.6.x - 2.9.x (which are 2.6.19, 2.7.16, 2.8.20 and 2.9.15):

    # yum list installed | grep postfix (dpkg -l | grep postfix on Debian and Ubuntu)
    postfix.x86_64 2:2.6.6-6.el6_7.1
  • The following lines could be found in the Postfix main configuration file /etc/postfix/main.cf :

    # cat /etc/postfix/main.cf
    ..........
    smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
    smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
    ..........
  • OpenSSL 1.0.1 or later is installed on the server:

    # yum list installed | grep openssl (dpkg -l | grep openssl on Debian and Ubuntu)
    openssl.x86_64 1.0.1e-48.el6_8.4

Cause

Starting from 2.6.x to 2.9.x but earlier than 2.10, Postfix does not recognize the TLSv1.1 and TLSv1.2 as the valid protocol names. Check the Postfix documentation for the details:

http://www.postfix.org/postconf.5.html#smtp_tls_protocols
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols

Resolution

  1. Leave TLSv1 protocol only in the smtpd_tls_mandatory_protocols and smtpd_tls_protocols parameters in /etc/postfix/main.cf file:

    # vi /etc/postfix/main.cf
    ..........
    smtpd_tls_mandatory_protocols = TLSv1
    smtpd_tls_protocols = TLSv1
    ..........
  2. Reload Postfix configuration to apply the changes:

    # service postfix reload
    
Have more questions? Submit a request
Please sign in to leave a comment.