• Dear Pleskians! The Plesk Forum will be undergoing scheduled maintenance on Monday, 7th of July, at 9:00 AM UTC. The expected maintenance window is 2 hours.
    Thank you in advance for your patience and understanding on the matter.

All inbound emails bouncing after applying POODLE fix

L

Logan_Rosen

New Pleskian
I ran the script in KB article 123160 [1] to disable SSLv3 and avoid the POODLE vulnerability, but I recently discovered that this has caused all inbound emails to bounce. The bounce message says, "TLS Negotiation failed."

Any ideas on how to fix this? Thanks!

Here is Plesk version information:
# cat /usr/local/psa/version
11.5.30 CentOS 5 115140407.17

# cat /root/.autoinstaller/microupdates.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="11.5.30" installed-at="20131109T085857">
<patch version="47" timestamp="" installed-at="20141123T162005" />
</product>
</patches>

[1] http://kb.odin.com/en/123160
 
Logan_Rosen said:
I ran the script in KB article 123160 [1] to disable SSLv3 and avoid the POODLE vulnerability, but I recently discovered that this has caused all inbound emails to bounce. The bounce message says, "TLS Negotiation failed."

Any ideas on how to fix this? Thanks!

Here is Plesk version information:
# cat /usr/local/psa/version
11.5.30 CentOS 5 115140407.17

# cat /root/.autoinstaller/microupdates.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="11.5.30" installed-at="20131109T085857">
<patch version="47" timestamp="" installed-at="20141123T162005" />
</product>
</patches>

[1] http://kb.odin.com/en/123160
Click to expand...

May be able to help. Just spent most of the day figuring out why gmail to our domain was getting the TLS negotiation failure. I could get email from most other sites, just not gmail (maybe others had problem, tho). Without going into detail - I assume you are running on Linux variant, with qmail, and have your own server/VPS. If so, SSH to host and edit:
/var/qmail/control/tlsserverciphers
Remove the !SSLv3 option, save, and restart qmail:
/etc/init.d/qmail restart
Worked for me. A cool site to verify this is:
http://www.checktls.com/perl/TestReceiver.pl
I am guessing by changing this, ports 465/587 will show as vulnerable to Poodle - I haven't checked yet - but at least I'm basking in the glow of working email.
Would be nice if I could figure out how to alert Plesk about this...
 
dave_cohen said:
May be able to help. Just spent most of the day figuring out why gmail to our domain was getting the TLS negotiation failure. I could get email from most other sites, just not gmail (maybe others had problem, tho).
Click to expand...

Yep, same here. Didn't realize it originally, but only emails from Gmail/Google Apps seemed to be bouncing. I really don't want to open up SSLv3 again for qmail if it's not necessary, but I might not have a choice if I want email to be working fully again. Parallels should definitely do something about this.

I did find this thread, which suggests explicitly stating the allowed ciphers: http://talk.plesk.com/threads/cant-send-mail-from-horde-since-poodle-patch.324511/#post-762689

It just seems like such an ugly solution to a problem that should ideally not be so complicated. And the KB article doesn't reflect this.
 
You must log in or register to reply here.

Similar threads

Zalvatore Dela
Issue Outlook and Gmail block my clients emails! DKIM too long
Replies
8
Views
5K
Zalvatore Dela
Zalvatore Dela
P
Resolved Poodle fix and MariaDB
Replies
2
Views
1K
Pedro1
P
J
Issue Plesk 11.0.9 500 - Internal Server Error
Replies
14
Views
5K
jrwn
J
D
Poodle Patch in Article 123160 Can Break Email - Linux, Qmail
Replies
4
Views
4K
UFHH01
U
P
Plesk 12.0.18 MU52 - Not updating
Replies
1
Views
804
UFHH01
U
Back
Top