Some mail is bouncing back with TLS issues

Good afternoon.

As of yesterday we’ve been seeing a handful of email messages being bounced back from the receiving server with the message :

TLS not available: connect failed: error:14077410:SSL

routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure I’m not going to try again; this message has been in the queue too long.

I expect we need to enable SSLv3 on our SMTP but I’m not completely sure how to accomplish it.

We’re running Interworx 5.1.49 on one server (it’s an older install) and 6.9.0 on the other.

Thanks in advance for any insight!

Phil D. Malmstrom
Diamond Computer Incorporated

Hi diamondcomputer

If the failures are on the old IW v5, I would do one of the following

Upgrade to latest RC v6.9

Or tell the v5 to push all outgoing email to your v6 server

The reason I think maybe because the v5 does not have TLS 1.2 whereas v6 would

It could even be the ciphers your using, so would check them to stop weaker ciphers

V6 servers could use LE ssl whereas v5 needs paid ssl

Many thanks

John

Hi John.

Unfortunately I can’t upgrade that server to v6.9 as it’s a legacy unit running CentOS 5. I had thought that 5.9 did actually have TLS 1.2 though. How would I determine that?

Thanks!

Phil

In my case, for two days in a raw, I have been receiving a message that the IP address can not be found. What could be the problem

Hi

@diamondcomputer - many thanks. It is not IW that sets tls but OpenSSL.

You could run an external test from any browser using qualys- this would tell you your tls and cipher

Usually if tls cannot be found, would indicate the receiving mail server cannot use your tls as ciphers tend to show cannot agree tls or similar

Is it just on the v5 or is it on both

If you want to pm me a domain to test, I will let you know as it gives better details

Lastly, you have set a proper ssl on the mail server from nodeworx server ssl mail and have a correct RDNS on your IP used for mail

Also, to cover everything, have you fully restarted the server Incase something got stuck

@Jesse1 - your issue sounds different to Phil - I would open a support ticket with your host provider but first restart your server. If it cannot find IP it sounds likely more a routing issue rather then a mail issue

Many thanks

John

Hi PHil

I took a bets guess at your domains and tested the following as below (Note - details have been changed to not show proper domains/IP addresses)

Based on these tests, I would consider best action woudl be to forward all outgoing email to the V6 server, which should allow normal email delivery as a short term solution.

Then I would apply a SSL cert to V5 server for mail and set the ciphers as HIGH:MEDIUM:!EXPORT:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!LOW as a test. Rememebr to restart mail services.

However, I maybe getting confused as I am not sure if spamfilter.domain.url is on your IW servers or provided through a third party. If third party, then they need to turn on TLS and set ciphers as it is not available at the moment

I hope that helps a little

IW-CP V5

seconds test stage and result

[000.000] Trying TLS on spamfilter.domain.url[IP-Removed] (10)
[000.024] Server answered
[000.086] <‑‑ 220 PTR-removed InterWorx-CP SMTP Server ESMTP
[000.086] We are allowed to connect
[000.086] ‑‑> EHLO www11-do.2domain.url
[000.178] <‑‑ 250-PTR-removed InterWorx-CP SMTP Server
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-NOOP
250-SIZE 47185920
250 8BITMIME
[000.178] We can use this server
[000.179] TLS is not an option on this server
[000.179] ‑‑> MAIL FROM:[email protected]
[005.582] <‑‑ 250 ok
[005.582] Sender is OK
[005.582] ‑‑> QUIT

TLS is NOT available on this server

IW-CP V6

[000.564] <~~ 250-efa1.domain.url
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.564] TLS successfully started on this server

TLS is WORKING on this server

@jesse1 - You were not clear over cannot find IP address, so it could be routing or it could be DNS not able to resolve sending mail MX or A. You or your hosting provider would need to check further, usually by SSH

Many thanks

John

Hello!

I think those messages may end up being a limitation of CentOS 5, considering it has been EOL for so long. We had customers with similar errors in the past, and the only resolution that really worked for them was migrating to a CentOS 6 server. :frowning: Being that repos for CentOS 5 no longer exist, and there are no longer even security patches being pushed through, the longer you try to use that OS, the more issues you will probably run into, unfortunately. We have not officially supported CentOS 5 for the better part of three years, now.

I did some googling for TLS 1.2 on CentOS 5. I’m seeing a lot of requests for it, but I’m not finding much indication that they ever applied it/updated their provided version of OpenSSL to include it. I found this one, where a staff member replied that it was really up to Red Hat because CentOS just rebuilt from RH, but since RHEL5 was nearing EOL at the time, it was very unlikely it would ever be included: https://forums.centos.org/viewtopic.php?t=57448

I would recommend looking into updating that server to CentOS 7, since CentOS 6 goes EOL this month. I know that, since it is a legacy server, that may not be possible, but it may be at least worth suggesting.

Thanks,
-Jenna
Friendly Neighborhood Support Manager

Hi Jesse–

I would need to know more information as to the specific errors that you are receiving, as that is a bit vague. :frowning:

However, if I recall correctly, I think you may be a ProfitHost customer? If so, if you reach out to them, they may be a better point of contact, as they would be able to see exactly what is happening on their servers.

Thanks,
-Jenna

Hi

@IWorx-Jenna - good posts and I have advised Phil the same, Centos 7 and IW-CP v7 - Phil did PM me and stated same so hopefully that should resolve issue with Phil

You are correct over jesse1 and profithost, I could not think of host company he used at the time sorry

Kudos to you

Many thanks

John

1 Like