Last-updated: 2021-10-11
If PHP scripts running under an old version of the language fail to connect to SMTP server under Directadmin, and in logs can you see lines containing "TLS error on connection from hostname":
2020-02-20 00:30:02 TLS error on connection from localhost (www.poralix.com) [127.0.0.1] (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
or even:
2021-08-10 20:30:40 TLS error on connection from server.example.net [127.0.0.1] (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
here is a possible fix for Exim managed by DirectAdmin.
For this run as root:
touch /etc/exim.variables.conf.custom echo 'openssl_options = +no_sslv2 +no_sslv3' >> /etc/exim.variables.conf.custom echo 'tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' >> /etc/exim.variables.conf.custom
cd /usr/local/directadmin/custombuild/ ./build update ./build exim_conf
You might need to use the following set (instead of one specified above):
openssl_options = +no_sslv2 +no_sslv3 tls_require_ciphers = ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP
in /etc/exim.variables.conf.custom, and even run:
update-crypto-policies --set LEGACY
as root in the server's console. When running the command you might see the following:
[root@server.example.net ~]# update-crypto-policies --set LEGACY Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. [root@server.example.net ~]#
And that's OK.
Restart exim:
systemctl restart exim
Please note TLSv1.0 and TLSv1.1 are considered to be deprecated and insecure. And if enabling them is the only possible solution for you, then you do it only on your own risk.
That's it.