Article ID: 121454, created on May 3, 2014, last review on May 11, 2014

  • Applies to:
  • Plesk 11.5 for Linux


The following warning is being appended to Plesk mail log, when trying to send a message to a mailbox hosted on MS Exchange server:

May  2 13:49:56 temp postfix/smtp[1652]: warning: TLS library problem: 1652:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:


MS Exchange server uses TLS protocol or cipher incompatible with Postfix ones. Due to this, TLS handshake fails and the message is being deferred.


In order to resolve this issue, you can follow two different ways:

  1. Disable the TLS encryption for a domains that are hosted on MS Exchange server in question:

    • Create a file '/var/spool/postfix/plesk/tls_policy' and put the below content there (one string for every domain that should not use TLS):

      # cat /var/spool/postfix/plesk/tls_policy
      [] may
    • Convert this file into a Postfix hash:

      # postmap /var/spool/postfix/plesk/tls_policy
    • Configure postfix to use the map file (append the line like below):

      # grep ^smtp_tls_policy_maps /etc/postfix/
      smtp_tls_policy_maps = hash:/var/spool/postfix/plesk/tls_policy
  2. Find out which protocol\cipher is used by the Exchange server and configure corresponding exceptions in Postfix:

    • Firstly, find out the cipher and TLS version by probing the server over 'openssl':

      # openssl s_client -connect -starttls smtp 2>&1|egrep "Protocol|Cipher"
      New, TLSv1/SSLv3, Cipher is RC4-SHA
      Protocol  : TLSv1
      Cipher    : RC4-SHA

      If this returns the error from subj, try different protocols by specifying corresponding options to 'openssl' : '-tls1_1'or '-tls1_1'

    • Once you know the the protocol and cipher that works, you need to define which one does your Postfix server use:. For that, add the following line to '/etc/postfix/':

      smtp_tls_loglevel = 2

      Restart Postfix:

      # /etc/init.d/postfix restart

      Send a message and monitor the mail log '/usr/local/psa/var/log/maillog'

      You will get the alike messages in log when the delivery will start:

      May  3 04:45:51 temp postfix/smtp[16114]: initializing the client-side TLS engine
      May  3 04:45:52 temp postfix/smtp[16114]: setting up TLS connection to[]:25
      May  3 04:45:52 temp postfix/smtp[16114]:[]:25: TLS cipher list "ALL:+RC4:@STRENGTH"
      May  3 04:45:52 temp postfix/smtp[16114]: Untrusted TLS connection established to[]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)

      From this you can define the Protocol and version of ciphers.

    • Now you may disable the TLS protocols that do not work on a domain basis using the map file (assume that we know from previous steps that it should be SSLv3 and TLSv1):

      [] encrypt protocols=!SSLv2:!TLSv1.1:!TLSv1.2 ciphers=high

      Then send a message again. In case if it works fine now, thats it. But in case if there is still an original message, you will need to disable the nono-working ciphers from Postfix config.

      To do so, find out the used ciphers from '/usr/local/psa/var/log/maillog' (as in above step) and prohibit them one by one specifying the following option in Postfix config divided by comma (",") until the message gets delivered :

      # cat /etc/postfix/|grep cipher
      smtp_tls_exclude_ciphers = aNULL, DES, DES-CBC3-SHA, EXP-RC2-CBC-MD5

For more information about the Postfix TLS configuration directives, refer to this guide.


Custom configuration could be overridden by Plesk utilities like 'mchk', or updates installations. Therefore it is recommended to save the configuration file you modified in this article to be able to replace it in such case. Or else you may set up a cron task that will replace the configuration file every day.

Search Words

wrong version number

warning: TLS library problem: 1652:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337

warning: TLS library problem

a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c 01bc4c8cf5b7f01f815a7ada004154a2 29d1e90fd304f01e6420fbe60f66f838 0a53c5a9ca65a74d37ef5c5eaeb55d7f

Email subscription for changes to this article
Save as PDF