• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Question SSLv3 Error on Dovecot

C

Christian12

New Pleskian
Hello,
I have the following system:

Plesk Version 18.0.35
Dovecot 2.3.13
Pigeonhole version 0.5.13
OS: Linux 4.9.0-15-amd64 x86_64 Debian 9.13 ext4

I also use ssl sni.

I get constantly get the error message in my /var/log/maillog

Code: 
www dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=x.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46,

MY Doveconf points:
Code: 
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

All SNI Certificates are valid.

May some can help me with this?

Best regards
Christian
 
Most probably that fail2ban is blocking connections to the server. Try to do following:
  1. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails.
  2. Click on plesk-dovecot
  3. Click Change Settings.
  4. Adjust the parameters IP address ban period and The maximum number of failed login attempts: increase the number of failed attempts and/or the ban period.
Also, if you affected by the issue uses the permanent IP address, consider adding it to Trusted IP Addresses in Tools & Settings > IP Address Banning (Fail2Ban).
 
IgorG said:
Most probably that fail2ban is blocking connections to the server. Try to do following:
  1. Go to Tools & Settings > IP Address Banning (Fail2Ban) > Jails.
  2. Click on plesk-dovecot
  3. Click Change Settings.
  4. Adjust the parameters IP address ban period and The maximum number of failed login attempts: increase the number of failed attempts and/or the ban period.
Also, if you affected by the issue uses the permanent IP address, consider adding it to Trusted IP Addresses in Tools & Settings > IP Address Banning (Fail2Ban).
Click to expand...

Dear Igor,

why should be fail2ban the problem?
The IP Adresses from the rip are not on the fail2ban list. The own Server IP'S (v4 and v6) are already trusted.

The main problem should be the Phrase: sslv3 alert certificate unknown

Due to the SnI Extenstion can I find out which certificate ist meant?

Best regards
 
My wild guess: A client (rip=xxx.xxx.xxx.xxx) tries to connect to your server using an unsupported TLS version. Your server probably doesn't support TLS v1.0 or SSL v3 but your client is trying to connect with one of those outdated protocols.
  1. Check your minimum ssl protocl version supported by Dovecot: doveconf ssl_min_protocol
  2. Check the security/ssl configuration of all Plesk services: plesk sbin sslmng --show-config (look at the Dovecot section)
  3. Next, check with the client that tries to connect and verify their SSL configuration and supported TLS version of their OS
 
Monty said:
My wild guess: A client (rip=xxx.xxx.xxx.xxx) tries to connect to your server using an unsupported TLS version. Your server probably doesn't support TLS v1.0 or SSL v3 but your client is trying to connect with one of those outdated protocols.
  1. Check your minimum ssl protocl version supported by Dovecot: doveconf ssl_min_protocol
  2. Check the security/ssl configuration of all Plesk services: plesk sbin sslmng --show-config (look at the Dovecot section)
  3. Next, check with the client that tries to connect and verify their SSL configuration and supported TLS version of their OS
Click to expand...
Hello Monthy,

of course I am using only TLS 1.2 with Starttls due to security reasons.

I was just wondering that Dovecot give 2 unequal messages for unsopported Protocols

Code: 
POP3s: SSL routines:tls_process_client_hello:unsupported protocol, session
SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46

What I was wondering is, that the lesk sbin sslmng --show-config

Point to a different SSL Certificate Path:

"dovecot": {
"cert": "/opt/psa/var/certificates/scfPvN6he",

The Doveconf -n points to:
ssl_cert = </etc/dovecot/private/dovecot.pem

I check them an they are similiar, so i seems that the Deovecot.pem was correctly updated.

So the error message still seem to be strange.

Regards Chris
 
I'd guess the one error occurs when someone connects to a port that accepts encrypted connections only, and the other when STARTTLS is used on an unencrypted connection.
 
You must log in or register to reply here.

Similar threads

D
Question Connection error from UnityWebRequest to my plesk server on older devices
Replies
1
Views
816
Nik G
N
O
Question Nginx compile by Plesk and chipers
Replies
6
Views
1K
IgorG
IgorG
M
Question changed nginx ssl.conf
Replies
2
Views
985
moswak
M
J
Question Dovecot Error: auth-master: userdb list: User listing returned failure
Replies
2
Views
2K
Jadek
J
O
Forwarded to devs Nginx compile by Plesk and chipers
Replies
2
Views
942
OverWolf
O
Back
Top