• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Issue receiving emails TLS library problem

P

piwik26

New Pleskian
Hi Everyone,

I am currently facing an issue on my server. I do not get all emails, and for instance here are the logs I got when I tried to register here :

Nov 30 15:02:32 mg1 postfix/smtpd[4013]: connect from ch.origin.talk.plesk.com[195.214.233.100]
Nov 30 15:02:32 mg1 postfix/smtpd[4013]: SSL_accept error from ch.origin.talk.plesk.com[195.214.233.100]: -1
Nov 30 15:02:32 mg1 postfix/smtpd[4013]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1686:
Nov 30 15:02:32 mg1 postfix/smtpd[4013]: lost connection after STARTTLS from ch.origin.talk.plesk.com[195.214.233.100]
Nov 30 15:02:32 mg1 postfix/smtpd[4013]: disconnect from ch.origin.talk.plesk.com[195.214.233.100] ehlo=1 starttls=0/1 commands=1/2

I was looking around here and didn't find anything. Also online it is not clear what is the issue here.
I checked
- Certificate served, he is trusted and made by let's encrypt. Still valid
- Can connect on my local host thourgh ports
openssl s_client -starttls smtp -crlf -connect localhost:587 -tls1_3

I would like to have your point of view on this and what shall I do to get back emails working properly.
Thank you.
 
I am also getting this while trying lower TLS protocols :
openssl s_client -starttls smtp -crlf -connect localhost:587 -tls1_2
CONNECTED(00000003)
139730802357440:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1544:SSL alert number 70

Looks like it is related to servers not supporting TLS1.3. I will lover the TLS versions and ciphers to Intermediate and see if this is fine now.
 
Thanks GwenDragon, looks like my problem was coming from here. Too restrincting TLS version on my postifx. So I do recommend to use only Intermediate one, and now newest and most restrictive.

We can close this issue
 
I still think it was a bad idea of Plesk to have those 3 options the same for mail as web services.

We don't have to buy web browsers, so there is much less reason for users not to update to a modern client.
They will have to update eventually as web servers around the world get updated.

Mail is different.
Your client may have an older mail-client which he doesn't want to update because he will have to pay money for it (Outlook 2010)
He also doesn't have to connect to all kind of servers. He may just be connecting to you, his mail provider.

In our case we also sell him the software and if he suddenly can't connect anymore you will have to defend your position as you are now forcing him to buy a new mail client and he may think that was the reason for you to change it.

I proposed to split these 2 for Plesk years ago, but they never did it.
Now I can't be bothered
 
Indeed, especially that it looks like we have two different certificates. One for HTTP and one for mail.
 
mr-wolf said:
I still think it was a bad idea of Plesk to have those 3 options the same for mail as web services.

I proposed to split these 2 for Plesk years ago, but they never did it.
Click to expand...
It seems it only got seven votes:
plesk.uservoice.com

Separate mozilla tls cipher settings for web and mail

Please separate the mozilla tls cipher settings for web and mail. Sometimes the old ciphers has to set only for mail and not for web. Additionally it would be great if the setting could available on domain basis. Please see this forum post as a reference...
plesk.uservoice.com
But why not post it here again, maybe it finds more fans ;-)
 
piwik26 said:
Indeed, especially that it looks like we have two different certificates. One for HTTP and one for mail.
Click to expand...
It depends. You can have different certificates, for example when your domain has one for SNI mail and the host has one for its host name. But you do not necessarily need (and should not) have different certs when you address your mail server by its host name. In that case, the host's certificate suffices.
 
mr-wolf said:
I still think it was a bad idea of Plesk to have those 3 options the same for mail as web services.

We don't have to buy web browsers, so there is much less reason for users not to update to a modern client.
They will have to update eventually as web servers around the world get updated.

Mail is different.
Your client may have an older mail-client which he doesn't want to update because he will have to pay money for it (Outlook 2010)
He also doesn't have to connect to all kind of servers. He may just be connecting to you, his mail provider.

In our case we also sell him the software and if he suddenly can't connect anymore you will have to defend your position as you are now forcing him to buy a new mail client and he may think that was the reason for you to change it.

I proposed to split these 2 for Plesk years ago, but they never did it.
Now I can't be bothered
Click to expand...
It's generally a bad idea to lower server-wide security for some people that still use 12+ year old software. You can't support software that's no longer supported or maintained. They can always upgrade Office, use 365, use webmail, use free Windows Mail, use Thunderbird. Just saying. :)
 
You must log in or register to reply here.

Similar threads

U
Question Postfix TLS issue
Replies
5
Views
1K
Kaspar
K
X
Issue Email sent from the other party is not dropped
Replies
3
Views
625
scsa20
scsa20
V
Issue Mail settings for Nextcloud Extension (local Plesk/Postfix as relay)
Replies
0
Views
664
Volans
V
B
Issue ERROR MAIL error:0A000102:SSL
Replies
1
Views
2K
Peter Debik
P
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
1K
Tessxr
T
Back
Top