If PHP scripts running under an old version of the language fail to connect to SMTP server under Directadmin, and in logs can you see lines containing "TLS error on connection from hostname":
2020-02-20 00:30:02 TLS error on connection from localhost (www.poralix.com) [127.0.0.1] (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2021-08-10 20:30:40 TLS error on connection from server.example.net [127.0.0.1] (SSL_accept): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
here is a possible fix for Exim managed by DirectAdmin.
Some old mail servers which communicate with yours might not like modern signature algorithm such as EC 256 bits (ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512), hence the error might occur.
So you will need to re-create a certificate for a hostname at least. If you use free certificates from Let's Encrypt, then run the following command as root to create a certificate with a sha256WithRSAEncryption signature algorithm:
/usr/local/directadmin/scripts/letsencrypt.sh request $(hostname -f) 4096
Give a couple of minutes to services to restart, and then try sending an email. If it does not help, then check the further instructions.
For this run as root:
touch /etc/exim.variables.conf.custom echo 'openssl_options = +no_sslv2 +no_sslv3' >> /etc/exim.variables.conf.custom echo 'tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' >> /etc/exim.variables.conf.custom
cd /usr/local/directadmin/custombuild/ ./build update ./build exim_conf
You might need to use the following set (instead of one specified above):
openssl_options = +no_sslv2 +no_sslv3 tls_require_ciphers = ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP
in /etc/exim.variables.conf.custom, and even run:
update-crypto-policies --set LEGACY
as root in the server's console. When running the command you might see the following:
[firstname.lastname@example.org ~]# update-crypto-policies --set LEGACY Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. [email@example.com ~]#
And that's OK.
systemctl restart exim
Please note TLSv1.0 and TLSv1.1 are considered to be deprecated and insecure. And if enabling them is the only possible solution for you, then you do it only on your own risk.