Applicable to:
- Plesk for Linux
Symptoms
- Plesk Obsidian running on a Linux-based operating system
- The Plesk Premium Email extension is installed (it does not matter if it is enabled or disabled as an Extension)
- Unable to connect to Mailbox via Roundcube webmail, while the following error appears:
PLESK_INFO: Connection to IMAP failed
- Errors that are similar to the following can be found in the Guam service log by running the
journalctl -uguam
command:
CONFIG_TEXT: Mar 11 15:45:43 example.com guam[694]: 14:45:43.785 [warning] TLS handshake failed with a tls_alert: {insufficient_security,"TLS server: In state hello at tls_handshake.erl:314 generated SERVER ALERT: Fatal - Insufficient Security\n no_suitable_ciphers"}
Mar 11 15:45:44 example.com guam[694]: 14:45:44.053 [error] gen_server <0.31142.8> terminated with reason: no match of right hand value {error,{tls_alert,{insufficient_security,"TLS server: In state hello at tls_handshake.erl:314 generated SERVER ALERT: Fatal - Insufficient Security\n no_suitable_ciphers"}}} in kolab_guam_session:start_client_tls/4 line 400
Apr 13 11:01:36 example.com guam[313457]: 11:01:36.142 [error] gen_fsm <0.563.0> in state disconnected terminated with reason: no match of right hand value {{error,closed},true,<0.563.0>,{[],[]}} in eimap:disconnected/2 line 140
Apr 13 11:01:36 example.com guam[313457]: 11:01:36.142 [error] CRASH REPORT Process <0.563.0> with 0 neighbours exited with reason: no match of right hand value {{error,closed},true,<0.563.0>,{[],[]}} in eimap:disconnected/2 line 140 in gen_fsm:terminate/8 line 623 - Many errors that are similar to the following can be found in the
/var/log/guam/console.log
:
CONFIG_TEXT: 2022-07-16 00:34:13.262 [error] <0.20002.218> SSL: certify: ssl_alert.erl:93:Fatal error: certificate unknown
2022-07-16 00:34:13.262 [warning] <0.18160.218>@kolab_guam_session:accept_client:187 TLS handshake failed with a tls_alert: "certificate unknown"
2022-07-16 00:34:13.287 [error] <0.18725.218> SSL: certify: ssl_alert.erl:93:Fatal error: certificate unknown
2022-07-16 00:34:13.287 [warning] <0.19394.218>@kolab_guam_session:accept_client:187 TLS handshake failed with a tls_alert: "certificate unknown" - Unable to check the IMAP certificate on port 993 (the check may work fine on the POP3 port 995), TLSv1.2 protocol is used, but the Cipher is returned as 0000:
# [root@server ~]# openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.com
CONNECTED(00000003)
139836725192592:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 314 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1722342657
Timeout : 300 (sec)
Verify return code: 0 (ok)
--- - Unable to check the IMAP certificate on port 993 (the check may work fine on the POP3 port 995), TLSv1.3 protocol is used, but the Cipher is returned as 0000:
# % openssl s_client -crlf -connect example.com:993
CONNECTED(00000005)
read:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 287 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1681374915
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Cause
The Ciphers, mentioned in /etc/guam/sys.config
configuration file of the Plesk Premium Email extension are incorrect and are unable to work properly with either TLSv1.2 or TLSv1.3 via the IMAP port 993.
Resolution
The issue is fixed permanently in the latest version of the extension, due to which you should first try and resolve the issue by updating the Plesk Premium Email extension to its latest version by using the steps in this article:
How to manage Plesk extensions (install, disable, remove, update)
If the issue persists after the extension has been updated to its latest version, you should do the following:
1. Log into your server via SSH
2. Execute the following command in order to make sure the /etc/guam/sys.config
configuration file is synchronized properly:
# plesk bin extension -e kolab sync-guam-config.php
3. Restart the Guam service by executing the following command:
# systemctl restart guam
Additional information
How to verify that SSL for IMAP/POP3/SMTP works and a proper SSL certificate is in use
Comments
0 comments
Please sign in to leave a comment.