• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

TLS mail problems

A

agbate

Guest
We're running Plesk 7.5 on Linux ES 3.

Within the past couple of weeks we've been getting complaints about some mail not reaching the server. It returns with a TLS error, handshake failed, the error is:

Deferred: 403 4.7.0 TLS handshake failed.

There seems to be a simple fix for the remote server, but unfortunately there are quite a few servers that can't send us mail and we'd like to be able to fix the issue on our end.

Some people say by reinstalling qmail and spamassassin this will fix this problem. Does anyone here have any input on this or has run into this problem before?

Thanks.

Adam.
 
Reinstallation

An update to this, reinstallation of qmail, courier-imap, and anything related to either of these (including updating SSL) has not fixed the problem.

I've searched the error on Google like crazy, and all that can be found is how to circumvent the problem on the other servers end, or how to fix it on a Windows server. Nothing about fixing it on a Linux box.

Jordan
 
Further investigation

Further investigation reveals the following:

Backing up our servercert.pem file located in /var/qmail/control/ then adjusting it so that the certificate is no longer valid allows all domains that were receiving the "TLS Handshake" error to send all queued mail and simply not initiate any TLS handshakes to any servers.

Obviously disabling encryption to all servers is not a good idea, but I really have no other choice at this point... unless someone wishes to suggest a solution, I expect no one to tell me not to do this.

Our actual certificate is valid, because when I telnet in and run starttls it works great (until I purposely change the certificate to make it invalid, in which case starttls gives an error like you would expect). So that leaves only one alternative - the TLS patch that is applied to the PSA version of qmail has an error in it.

I did a bit of research, and it seems that a new version of the qmail TLS patch was released on the 4th of January 2006, however to apply it, you must find the qmail source, and run the patch on it, then remake qmail. The problem is that the qmail install is a psa RPM.

Perhaps Atomic Rocket Turtle could recompile the RPM with the new TLS patch already included? Or if anyone could suggest to me the best way to do this, that would be great too!

If anyone has any other ideas, please let me know!

Thanks,

Jordan
 
You must log in or register to reply here.

Similar threads

R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
987
tessa67
T
carlsson
Issue Mail sent from my new email server won't reach Yahoo…?
Replies
3
Views
1K
carlsson
carlsson
J
Question Message via mail: <Es gab ein Problem bei der Aktualisierung der Systempakete...>
Replies
2
Views
368
jmar83
J
W
Question Mail Server configuration so it does not end up as spam?
Replies
2
Views
690
wyga
W
S
Issue STMP QUIT / Disconnect Problem with TLS
Replies
1
Views
2K
Frank.P
Frank.P
Back
Top