Issue Dovecot: Wrong Version Number

tkalfaoglu · Jan 11, 2022

I am seeing:

Jan 11 15:11:02 ocean dovecot[33614]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (no auth attempts in 0 secs): user=<>, rip=x.x.x.x, lip=x.x.x.x, TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number, session=<gIrIWE3V9MwVY/k2>

in the maillogs.. How can I correct this problem?
I searched here and google, but did not see this "Wrong version number" error. mentioned.

Many thanks, -t

Monty · Jan 11, 2022

This essentially tells you that a client tried to connect with an unsupported TLS version.
Maybe your server only supports TLSv1.2 and TLSv1.3 but the client tried to connect with TLSv1 or TLSv1.1 or the other way round.

To see which TLS versions are configured on your Plesk server run this:
# plesk sbin sslmng --show-config

Then check the "dovecot" section.

tkalfaoglu · Jan 11, 2022

Many thanks! It shows like this:

"dovecot": {
"certificate": true,
"ciphers": "EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:E
ECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!D
ES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH:!kDH",
"cipher_server_order": true,
"cert": "/usr/local/psa/var/certificates/scf5WunPk",
"strong_dh": true,
"protocols": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"dhparams_size": 2048
},

Monty · Jan 11, 2022

So it looks like a client tried to connect with TLSv1.3 but your server does not support this version. You may want to check if your server supports TLSv1.3:

https://support.plesk.com/hc/en-us/articles/360007400013-Does-Plesk-support-TLS-1-3-on-Linux-servers-

tkalfaoglu · Jan 11, 2022

Many thanks, I read the article and yes, this is a Centos 8.5 machine so it supports the TLS 1.3. If my understanding is correct, I just need to do a:

# plesk bin server_pref -u -ssl-protocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'

to ensure that it supports everything?

Monty · Jan 11, 2022

Yes this should do the trick.
Related KB: https://support.plesk.com/hc/en-us/...able-TLS-protocol-versions-in-Plesk-for-Linux

zwankie · Jan 3, 2023

Thanks @Monty, this helped.

Issue Dovecot: Wrong Version Number

tkalfaoglu

Silver Pleskian

Monty

Silver Pleskian

tkalfaoglu

Silver Pleskian

Monty

Silver Pleskian

tkalfaoglu

Silver Pleskian

Monty

Silver Pleskian

zwankie

Basic Pleskian

Similar threads