• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

TLS mail problems

A

agbate

Guest
We're running Plesk 7.5 on Linux ES 3.

Within the past couple of weeks we've been getting complaints about some mail not reaching the server. It returns with a TLS error, handshake failed, the error is:

Deferred: 403 4.7.0 TLS handshake failed.

There seems to be a simple fix for the remote server, but unfortunately there are quite a few servers that can't send us mail and we'd like to be able to fix the issue on our end.

Some people say by reinstalling qmail and spamassassin this will fix this problem. Does anyone here have any input on this or has run into this problem before?

Thanks.

Adam.
 
Reinstallation

An update to this, reinstallation of qmail, courier-imap, and anything related to either of these (including updating SSL) has not fixed the problem.

I've searched the error on Google like crazy, and all that can be found is how to circumvent the problem on the other servers end, or how to fix it on a Windows server. Nothing about fixing it on a Linux box.

Jordan
 
Further investigation

Further investigation reveals the following:

Backing up our servercert.pem file located in /var/qmail/control/ then adjusting it so that the certificate is no longer valid allows all domains that were receiving the "TLS Handshake" error to send all queued mail and simply not initiate any TLS handshakes to any servers.

Obviously disabling encryption to all servers is not a good idea, but I really have no other choice at this point... unless someone wishes to suggest a solution, I expect no one to tell me not to do this.

Our actual certificate is valid, because when I telnet in and run starttls it works great (until I purposely change the certificate to make it invalid, in which case starttls gives an error like you would expect). So that leaves only one alternative - the TLS patch that is applied to the PSA version of qmail has an error in it.

I did a bit of research, and it seems that a new version of the qmail TLS patch was released on the 4th of January 2006, however to apply it, you must find the qmail source, and run the patch on it, then remake qmail. The problem is that the qmail install is a psa RPM.

Perhaps Atomic Rocket Turtle could recompile the RPM with the new TLS patch already included? Or if anyone could suggest to me the best way to do this, that would be great too!

If anyone has any other ideas, please let me know!

Thanks,

Jordan
 
Back
Top