The following warning is being appended to Plesk mail log, when trying to send a message to a mailbox hosted on MS Exchange server:
May 2 13:49:56 temp postfix/smtp: warning: TLS library problem: 1652:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
MS Exchange server uses TLS protocol or cipher incompatible with Postfix ones. Due to this, TLS handshake fails and the message is being deferred.
In order to resolve this issue, you can follow two different ways:
Disable the TLS encryption for a domains that are hosted on MS Exchange server in question:
Create a file '
/var/spool/postfix/plesk/tls_policy'and put the below content there (one string for every domain that should not use TLS):
# cat /var/spool/postfix/plesk/tls_policy [domain.com] may
Convert this file into a Postfix hash:
# postmap /var/spool/postfix/plesk/tls_policy
Configure postfix to use the map file (append the line like below):
# grep ^smtp_tls_policy_maps /etc/postfix/main.cf smtp_tls_policy_maps = hash:/var/spool/postfix/plesk/tls_policy
Find out which protocol\cipher is used by the Exchange server and configure corresponding exceptions in Postfix:
Firstly, find out the cipher and TLS version by probing the server over '
# openssl s_client -connect 220.127.116.11:25 -starttls smtp 2>&1|egrep "Protocol|Cipher" New, TLSv1/SSLv3, Cipher is RC4-SHA Protocol : TLSv1 Cipher : RC4-SHA ^C
If this returns the error from subj, try different protocols by specifying corresponding options to '
Once you know the the protocol and cipher that works, you need to define which one does your Postfix server use:. For that, add the following line to
smtp_tls_loglevel = 2
# /etc/init.d/postfix restart
Send a message and monitor the mail log '
You will get the alike messages in log when the delivery will start:
May 3 04:45:51 temp postfix/smtp: initializing the client-side TLS engine May 3 04:45:52 temp postfix/smtp: setting up TLS connection to mail.columbiacabinets.com[18.104.22.168]:25 May 3 04:45:52 temp postfix/smtp: mail.columbiacabinets.com[22.214.171.124]:25: TLS cipher list "ALL:+RC4:@STRENGTH" ... May 3 04:45:52 temp postfix/smtp: Untrusted TLS connection established to mail.columbiacabinets.com[126.96.36.199]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)
From this you can define the Protocol and version of ciphers.
Now you may disable the TLS protocols that do not work on a domain basis using the map file (assume that we know from previous steps that it should be SSLv3 and TLSv1):
/var/spool/postfix/plesk/tls_policy [domain.com] encrypt protocols=!SSLv2:!TLSv1.1:!TLSv1.2 ciphers=high
Then send a message again. In case if it works fine now, thats it. But in case if there is still an original message, you will need to disable the nono-working ciphers from Postfix config.
To do so, find out the used ciphers from '
/usr/local/psa/var/log/maillog' (as in above step) and prohibit them one by one specifying the following option in Postfix config divided by comma (",") until the message gets delivered :
# cat /etc/postfix/main.cf|grep cipher smtp_tls_exclude_ciphers = aNULL, DES, DES-CBC3-SHA, EXP-RC2-CBC-MD5
For more information about the Postfix TLS configuration directives, refer to this guide.
Custom configuration could be overridden by Plesk utilities like '
mchk', or updates installations. Therefore it is recommended to save the configuration file you modified in this article to be able to replace it in such case. Or else you may set up a cron task that will replace the configuration file every day.