Question SSLv3 Error on Dovecot

[Christian12]

Hello,
I have the following system:

Plesk Version 18.0.35
Dovecot 2.3.13
Pigeonhole version 0.5.13
OS: Linux 4.9.0-15-amd64 x86_64 Debian 9.13 ext4

I also use ssl sni.

I get constantly get the error message in my /var/log/maillog

www dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=x.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46,

MY Doveconf points:

ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

All SNI Certificates are valid.

May some can help me with this?

Best regards
Christian

 

[IgorG]

Most probably that fail2ban is blocking connections to the server. Try to do following:

1. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails.
2. Click on plesk-dovecot
3. Click Change Settings.
4. Adjust the parameters IP address ban period and The maximum number of failed login attempts: increase the number of failed attempts and/or the ban period.

Also, if you affected by the issue uses the permanent IP address, consider adding it to Trusted IP Addresses in Tools & Settings > IP Address Banning (Fail2Ban).

 

[Christian12]

Most probably that fail2ban is blocking connections to the server. Try to do following:

1. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails.
2. Click on plesk-dovecot
3. Click Change Settings.
4. Adjust the parameters IP address ban period and The maximum number of failed login attempts: increase the number of failed attempts and/or the ban period.

Also, if you affected by the issue uses the permanent IP address, consider adding it to Trusted IP Addresses in Tools & Settings > IP Address Banning (Fail2Ban).

Dear Igor,

why should be fail2ban the problem?
The IP Adresses from the rip are not on the fail2ban list. The own Server IP'S (v4 and v6) are already trusted.

The main problem should be the Phrase: sslv3 alert certificate unknown

Due to the SnI Extenstion can I find out which certificate ist meant?

Best regards

 

[Monty]

My wild guess: A client (rip=xxx.xxx.xxx.xxx) tries to connect to your server using an unsupported TLS version. Your server probably doesn't support TLS v1.0 or SSL v3 but your client is trying to connect with one of those outdated protocols.

1. Check your minimum ssl protocl version supported by Dovecot: doveconf ssl_min_protocol
2. Check the security/ssl configuration of all Plesk services: plesk sbin sslmng --show-config (look at the Dovecot section)
3. Next, check with the client that tries to connect and verify their SSL configuration and supported TLS version of their OS

 

[Christian12]

My wild guess: A client (rip=xxx.xxx.xxx.xxx) tries to connect to your server using an unsupported TLS version. Your server probably doesn't support TLS v1.0 or SSL v3 but your client is trying to connect with one of those outdated protocols.

1. Check your minimum ssl protocl version supported by Dovecot: doveconf ssl_min_protocol
2. Check the security/ssl configuration of all Plesk services: plesk sbin sslmng --show-config (look at the Dovecot section)
3. Next, check with the client that tries to connect and verify their SSL configuration and supported TLS version of their OS

Hello Monthy,

of course I am using only TLS 1.2 with Starttls due to security reasons.

I was just wondering that Dovecot give 2 unequal messages for unsopported Protocols

POP3s: SSL routines:tls_process_client_hello:unsupported protocol, session
SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46

What I was wondering is, that the lesk sbin sslmng --show-config

Point to a different SSL Certificate Path:

"dovecot": {
"cert": "/opt/psa/var/certificates/scfPvN6he",

The Doveconf -n points to:
ssl_cert = </etc/dovecot/private/dovecot.pem

I check them an they are similiar, so i seems that the Deovecot.pem was correctly updated.

So the error message still seem to be strange.

Regards Chris

 

[mow]

I'd guess the one error occurs when someone connects to a port that accepts encrypted connections only, and the other when STARTTLS is used on an unencrypted connection.