• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Issue TLS Errors in maillog

Staniel

New Pleskian
Hello,

I have had one of my client's contact me regarding non-delivery of emails from a certain email address I have checked the MagicSpam logs and I can't see any mail being stopped in the SMTP layer. I have checked the maillog and I have found several instances in the log:

Code:
Mar  1 03:39:20 ocelot postfix/smtpd[13958]: SSL_accept error from server2.vykupto.info[103.129.47.73]: -1
Mar  1 03:39:20 ocelot postfix/smtpd[13958]: warning: TLS library problem: 13958:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Mar  1 03:39:20 ocelot postfix/smtpd[13958]: lost connection after STARTTLS from server2.vykupto.info[103.129.47.73]
Mar  1 03:39:20 ocelot postfix/smtpd[13958]: disconnect from server2.vykupto.info[103.129.47.73]

Code:
Mar  1 03:39:40 ocelot postfix/smtpd[13958]: connect from ccintl2.wc09.net[174.46.207.23]
Mar  1 03:39:41 ocelot postfix/smtpd[13958]: SSL_accept error from ccintl2.wc09.net[174.46.207.23]: -1
Mar  1 03:39:41 ocelot postfix/smtpd[13958]: warning: TLS library problem: 13958:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Mar  1 03:39:41 ocelot postfix/smtpd[13958]: lost connection after STARTTLS from ccintl2.wc09.net[174.46.207.23]
Mar  1 03:39:41 ocelot postfix/smtpd[13958]: disconnect from ccintl2.wc09.net[174.46.207.23]

I have previously disabled legacy security versions and when I run a SSL Test against the server I am getting the following results:

Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Is there a way that I can enable SSL2 for Postfix?
 
You could fiddle around with the smtpd_tls_protocols and smtpd_tls_mandatory_protocols in the /etc/postfix/main.cf to at least enable SSLv3 (that would most likely suffice to establish a connection with these two mailservers)

As for SSLv2, I strongly advice against using that and it will most likely not work anyway, due to beeing no longer available in your openssl library.
When it comes to security with SSLv3 - in regards of SMTP it's quite negligible, as the real SSLv3 Killer "Heartbleed" is not really applicable here. Nontheless, it's for sure not the most secure protocol nowadays and I would at least use a dedicated certificate (read: a certificate with a secure key not used anywhere else) for that
 
Back
Top