• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Issue receiving emails TLS library problem

piwik26

New Pleskian
Hi Everyone,

I am currently facing an issue on my server. I do not get all emails, and for instance here are the logs I got when I tried to register here :

Nov 30 15:02:32 mg1 postfix/smtpd[4013]: connect from ch.origin.talk.plesk.com[195.214.233.100]
Nov 30 15:02:32 mg1 postfix/smtpd[4013]: SSL_accept error from ch.origin.talk.plesk.com[195.214.233.100]: -1
Nov 30 15:02:32 mg1 postfix/smtpd[4013]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1686:
Nov 30 15:02:32 mg1 postfix/smtpd[4013]: lost connection after STARTTLS from ch.origin.talk.plesk.com[195.214.233.100]
Nov 30 15:02:32 mg1 postfix/smtpd[4013]: disconnect from ch.origin.talk.plesk.com[195.214.233.100] ehlo=1 starttls=0/1 commands=1/2

I was looking around here and didn't find anything. Also online it is not clear what is the issue here.
I checked
- Certificate served, he is trusted and made by let's encrypt. Still valid
- Can connect on my local host thourgh ports
openssl s_client -starttls smtp -crlf -connect localhost:587 -tls1_3

I would like to have your point of view on this and what shall I do to get back emails working properly.
Thank you.
 
I am also getting this while trying lower TLS protocols :
openssl s_client -starttls smtp -crlf -connect localhost:587 -tls1_2
CONNECTED(00000003)
139730802357440:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70

Looks like it is related to servers not supporting TLS1.3. I will lover the TLS versions and ciphers to Intermediate and see if this is fine now.
 
Thanks GwenDragon, looks like my problem was coming from here. Too restrincting TLS version on my postifx. So I do recommend to use only Intermediate one, and now newest and most restrictive.

We can close this issue
 
I still think it was a bad idea of Plesk to have those 3 options the same for mail as web services.

We don't have to buy web browsers, so there is much less reason for users not to update to a modern client.
They will have to update eventually as web servers around the world get updated.

Mail is different.
Your client may have an older mail-client which he doesn't want to update because he will have to pay money for it (Outlook 2010)
He also doesn't have to connect to all kind of servers. He may just be connecting to you, his mail provider.

In our case we also sell him the software and if he suddenly can't connect anymore you will have to defend your position as you are now forcing him to buy a new mail client and he may think that was the reason for you to change it.

I proposed to split these 2 for Plesk years ago, but they never did it.
Now I can't be bothered
 
Indeed, especially that it looks like we have two different certificates. One for HTTP and one for mail.
 
I still think it was a bad idea of Plesk to have those 3 options the same for mail as web services.

I proposed to split these 2 for Plesk years ago, but they never did it.
It seems it only got seven votes:
But why not post it here again, maybe it finds more fans ;-)
 
Indeed, especially that it looks like we have two different certificates. One for HTTP and one for mail.
It depends. You can have different certificates, for example when your domain has one for SNI mail and the host has one for its host name. But you do not necessarily need (and should not) have different certs when you address your mail server by its host name. In that case, the host's certificate suffices.
 
I still think it was a bad idea of Plesk to have those 3 options the same for mail as web services.

We don't have to buy web browsers, so there is much less reason for users not to update to a modern client.
They will have to update eventually as web servers around the world get updated.

Mail is different.
Your client may have an older mail-client which he doesn't want to update because he will have to pay money for it (Outlook 2010)
He also doesn't have to connect to all kind of servers. He may just be connecting to you, his mail provider.

In our case we also sell him the software and if he suddenly can't connect anymore you will have to defend your position as you are now forcing him to buy a new mail client and he may think that was the reason for you to change it.

I proposed to split these 2 for Plesk years ago, but they never did it.
Now I can't be bothered
It's generally a bad idea to lower server-wide security for some people that still use 12+ year old software. You can't support software that's no longer supported or maintained. They can always upgrade Office, use 365, use webmail, use free Windows Mail, use Thunderbird. Just saying. :)
 
Back
Top