• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue TLS Errors in maillog

Staniel

New Pleskian
Hello,

I have had one of my client's contact me regarding non-delivery of emails from a certain email address I have checked the MagicSpam logs and I can't see any mail being stopped in the SMTP layer. I have checked the maillog and I have found several instances in the log:

Code:
Mar  1 03:39:20 ocelot postfix/smtpd[13958]: SSL_accept error from server2.vykupto.info[103.129.47.73]: -1
Mar  1 03:39:20 ocelot postfix/smtpd[13958]: warning: TLS library problem: 13958:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Mar  1 03:39:20 ocelot postfix/smtpd[13958]: lost connection after STARTTLS from server2.vykupto.info[103.129.47.73]
Mar  1 03:39:20 ocelot postfix/smtpd[13958]: disconnect from server2.vykupto.info[103.129.47.73]

Code:
Mar  1 03:39:40 ocelot postfix/smtpd[13958]: connect from ccintl2.wc09.net[174.46.207.23]
Mar  1 03:39:41 ocelot postfix/smtpd[13958]: SSL_accept error from ccintl2.wc09.net[174.46.207.23]: -1
Mar  1 03:39:41 ocelot postfix/smtpd[13958]: warning: TLS library problem: 13958:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Mar  1 03:39:41 ocelot postfix/smtpd[13958]: lost connection after STARTTLS from ccintl2.wc09.net[174.46.207.23]
Mar  1 03:39:41 ocelot postfix/smtpd[13958]: disconnect from ccintl2.wc09.net[174.46.207.23]

I have previously disabled legacy security versions and when I run a SSL Test against the server I am getting the following results:

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Is there a way that I can enable SSL2 for Postfix?
 
You could fiddle around with the smtpd_tls_protocols and smtpd_tls_mandatory_protocols in the /etc/postfix/main.cf to at least enable SSLv3 (that would most likely suffice to establish a connection with these two mailservers)

As for SSLv2, I strongly advice against using that and it will most likely not work anyway, due to beeing no longer available in your openssl library.
When it comes to security with SSLv3 - in regards of SMTP it's quite negligible, as the real SSLv3 Killer "Heartbleed" is not really applicable here. Nontheless, it's for sure not the most secure protocol nowadays and I would at least use a dedicated certificate (read: a certificate with a secure key not used anywhere else) for that
 
Back
Top