Symptoms

• When connecting to a mail server over SSL via an email client (e.g. Outlook), connection fails. One of the following error messages is returned by Outlook:

  Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method.

  AND/OR

  Log onto incoming mail server (POP3): Your server does not support the connection encryption type you have specified. Try changing

• One of the following error messages appears in the logfile /var/log/maillog:

  postfix/smtpd[25460]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:

  OR

  dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=69.9.10.229, lip=54.39.16.219, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

  OR

  dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=203.0.113.2, lip=203.0.113.3, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol,

Cause

TLSv1, SSLv3 or SSLv2 protocol support, which is required for old email clients/old PCs, is disabled in Postfix/Dovecot configuration.

By default, SSL protocols SSLv2 and SSLv3 are disabled in Postfix/Dovecot as these protocols are vulnerable to the POODLE attack.

Resolution

The best practice is to use the latest available version of email clients that support connections over TLS 1.1 and 1.2.

If for some reason it is not possible, apply the following steps:

Note: This guide is intended for Plesk administrators. If you are a domain owner, please contact your service provider for assistance with email account configuration.

Enable the TLSv1 protocol in Postfix configuration

1. Connect to a Plesk server via SSH
2. Enable support for TLSv1 protocol:

   # plesk sbin pci_compliance_resolver –disable postfix

   To find out whether TLSv1 version is enabled in Postfix or not, run the command:

   # egrep “smtpd_tls_mandatory_protocols|smtpd_tls_protocols” /etc/postfix/main.cf

3. Restart Postfix:

   # service postfix restart

Enable the TLSv1 protocol in Dovecot configuration

1. Connect to a Plesk server via SSH
2. Open the file /etc/dovecot/conf.d/11-plesk-security-ssl.conf in a text editor and change the values of ssl_min_protocol and ssl_protocols as follows:

   ssl_protocols = TLSv1 TLSv1.1 TLSv1.2
   ssl_min_protocol=TLSv1

   To find out whether TLSv1 version is enabled in Dovecot or not, run the command:

   # egrep “ssl_protocols|ssl_min_protocol” /etc/dovecot/conf.d/11-plesk-security-ssl.conf

3. Restart Dovecot service:

   # service dovecot restart

Enable the TLSv1 protocol in Courier configuration

1. Connect to a Plesk server via SSH
2. Open the files /etc/courier-imap/pop3d-ss and /etc/courier-imap/imapd-ssl in a text editor and change the values of TLS_PROTOCOL and TLS_STARTTLS_PROTOCOL as follows:

   # grep PROTOCOL /etc/courier-imap/pop3d-ssl | grep -v ^#
   TLS_PROTOCOL=TLSv1+
   TLS_STARTTLS_PROTOCOL=TLSv1+

   # grep PROTOCOL /etc/courier-imap/imapd-ssl | grep -v ^#
   TLS_PROTOCOL=TLSv1+
   TLS_STARTTLS_PROTOCOL=TLSv1+

3. Restart Courier services:

   # service courier-imaps restart
   # service courier-pop3s restart
   # service courier-imapd restart
   # service courier-pop3d restart
   # service xinetd restart

If an email client still does not allow to connect, enable the SSLv2 and SSLv3 protocols in Postfix configuration:

Warning: Such configuration is not recommended due to security vulnerabilities. Apply it at your own risk.

1. Connect to a Plesk server via SSH
2. Open the file /etc/postfix/main.cf in a text editor and set an empty value for “smtpd_tls_mandatory_protocols” and “smtpd_tls_protocols”:

   # egrep “smtpd_tls_mandatory_protocols|smtpd_tls_protocols” /etc/postfix/main.cf
   smtpd_tls_mandatory_protocols =
   smtpd_tls_protocols =

3. Restart Postfix:

   # service postfix restart