Applicable to:
- Plesk for Linux
Symptoms
-
When connecting to a mail server over SSL via an email client (e.g. Outlook), connection fails:
Your server does not support the connection encryption type you have specified. Try changing the encryption method.
-
One of the following error messages appears in the
/var/log/maillog
logfile:postfix/smtpd[25460]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=203.0.113.2, lip=203.0.113.3, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Apr 4 15:09:46 server dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, rip=203.0.113.2, lip=203.0.113.3, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session=<ek3VukYVN8hervMa>
Cause
TLSv1, TLS 1.1, SSLv2 and SSLv3 protocol support, which is required for old email clients old software (e.g, WinHTTP-based applications on Windows 7) is disabled in the Postfix and Dovecot configuration intentionally, because all of these releases have known security issues caused by vulnerabilities and are therefore not recommended for use.
The full history of SSL and TLS releases is as follows:
1995 - SSL 1.0 – never released publicly due to known security issues
1995 - SSL 2.0 is released – deprecated in 2011 due to known security issues
1996 - SSL 3.0 is released – deprecated in 2015 due to known security issues
1999 - TLS 1.0 is released as an upgrade to SSL 3.0 - deprecated in 2020 due to known security issues
2006 - TLS 1.1 is released - deprecated in 2020 due to known security issues
2008 - TLS 1.2 is released - it can still be used, but is considered safe only when weak ciphers and algorithms are removed
2018 - TLS 1.3 is released - recommended, it comes with no known vulnerabilities, improves performance and will not be deprecated anytime soon
Resolution
The recommended solution is to use the latest available version of email clients that support connections over TLS 1.2 and TLS 1.3 or just switch to a mail client or mail-related software that Support TLS 1.2 and TLS 1.3.
For WinHTTP-based applications, you may refer to the following official Microsoft article.
If for some reason changing the software that is used during the email connection attempt is not possible, you may apply what is necessary via either of the following workarounds.
Warning: All of the below configurations are not recommended due to security vulnerabilities tied to the older TLS and SSL protocols. Apply them only at your own risk!
Note: This guide is intended for Plesk administrators. If you are a domain owner, please contact your service provider for assistance with email account configuration.
-
Connect to the Plesk server via SSH.
-
Enable support for TLSv1 protocol:
# plesk sbin pci_compliance_resolver --disable postfix
# plesk sbin sslmng --services postfix --protocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'
To find out whether TLSv1 version is enabled in Postfix or not, run the command:
# egrep "smtpd_tls_mandatory_protocols|smtpd_tls_protocols" /etc/postfix/main.cf
-
Restart Postfix:
# service postfix restart
-
Connect to the Plesk server via SSH.
-
Open the file
/etc/dovecot/conf.d/11-plesk-security-ssl.conf
in a text editor (for example, vi editor) and change the values ofssl_min_protocol
and as follows:ssl_min_protocol=TLSv1
To find out whether TLSv1 version is enabled in Dovecot or not, run the command:
# egrep "ssl_min_protocol" /etc/dovecot/conf.d/11-plesk-security-ssl.conf
Note: If TLSv1 is not enabled it will not be shown in the output.
-
Restart Dovecot service:
# service dovecot restart
-
Connect to the Plesk server via SSH.
-
Open the files
/etc/courier-imap/pop3d-ssl
and/etc/courier-imap/imapd-ssl
in a text editor (for example, vi editor) and change the values ofTLS_PROTOCOL
andTLS_STARTTLS_PROTOCOL
as follows:# grep PROTOCOL /etc/courier-imap/pop3d-ssl | grep -v ^#
TLS_PROTOCOL=TLSv1+
TLS_STARTTLS_PROTOCOL=TLSv1+
# grep PROTOCOL /etc/courier-imap/imapd-ssl | grep -v ^#
TLS_PROTOCOL=TLSv1+
TLS_STARTTLS_PROTOCOL=TLSv1+ -
Restart Courier services:
# service courier-imaps restart
# service courier-pop3s restart
# service courier-imapd restart
# service courier-pop3d restart
# service xinetd restart
If an email client still does not allow to connect, enable the SSLv2 and SSLv3 protocols in Postfix configuration:
-
Connect to the Plesk server via SSH.
-
Open the file
/etc/postfix/main.cf
in a text editor and set an empty value for "smtpd_tls_mandatory_protocols" and "smtpd_tls_protocols":# egrep "smtpd_tls_mandatory_protocols|smtpd_tls_protocols" /etc/postfix/main.cf
smtpd_tls_mandatory_protocols =
smtpd_tls_protocols = -
Restart Postfix:
# service postfix restart
Comments
1 comment
Testing IMAP TLS/SSL using both https://testconnectivity.microsoft.com and latest version of Microsoft Outlook client fails to negotiate cryptographic connection with the following log:
### BEGIN LOG ENTRY ###
imap-login: Disconnected: Connection Closed: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol (no auth attempts in 0 secs): user=<>, tip=52.109.8.10, lip=77.68.96.59, TLS handshaking: SSL_accept() failed: error:0A000102:SSL routines::unsupported protocol, session <sessionIDhere>
### END OF LOG ENTRY ###
If I try to verify from a Linux machine using openssl on IMAP SSL port 993 then I get the expected LetsEncrypt certificates with expected CN names matching the domain, along wiht Dovecot welcome "* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5]"
I have disabled OCSP Stapling as I read that this is not supported on Dovecot.
When I run an SSL report at ssllabs.com I notice that the ONLY version of TLS supported by the certificate is TLS 1.3 (TLS 1.2 and below disabled, and SSL 3/2 both disabled.)
The LetsEncrypt wildcard certificate is using an RSA 2048 bits key and SHA256withRSA signature. The TLS 1.3 ciphers supported are: TLS_AES_128_GCM_SHA256; TLS_AES_256_GCM_SHA384; TLS_CHACHA20_POLY1305_SHA256.
Any ideas for explanations/solutions?
Please sign in to leave a comment.