SSL connection has failed on cPanel Exim server

cPanel

cPanel is a control panel that allows you to manage bare metal or virtual hosting servers. It’s best for shared hosting websites where you need to manage security and good account separation. It provides you all the tools to fully manage the server without the need to do CLI, of course, you could always login and work on the server directly, but it’s recommended to make all changes through cPanel so it can manage the settings and security.

TLS ciphers on Cpanel 86.x

I have a customer that is running a Sharp printer scanner that just started having an error when the printer is trying to send PDF scanned emails. I had a server running Cpanel 86.0.8 but it was on CentOS 6.x and wanted to upgrade to CentOS 7. I installed a new server, the same version of cPanel and migrated over the accounts. One customer started reporting that the Sharp printer was getting an error.

SSL Connection has failed.

This is similar to other people online that I see reporting errors on older versions of Outlook trying to connect to a new installation of cPanel.

When I check the exim_mainlog, this is the error messages i’m also seeing:

exim_mainlog:2020-03-03 13:32:11 SMTP connection from [10.51.44.122]:52851 (TCP/IP connection count = 2)
 exim_mainlog:2020-03-03 13:32:11 TLS error on connection from 10-051-044-122.biz.spectrum.com (Upstairs) [10.51.44.122]:52851 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
 exim_mainlog:2020-03-03 13:32:11 SMTP connection from 10-051-044-122.biz.spectrum.com (Upstairs) [10.51.44.122]:52851 closed by EOF
 exim_mainlog:2020-03-03 16:33:40 SMTP connection from [10.51.44.122]:56434 (TCP/IP connection count = 1)
 exim_mainlog:2020-03-03 16:33:40 TLS error on connection from 10-051-044-122.biz.spectrum.com (Upstairs) [10.51.44.122]:56434 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
 exim_mainlog:2020-03-03 16:33:40 SMTP connection from 10-051-044-122.biz.spectrum.com (Upstairs) [10.51.44.122]:56434 closed by EOF

Exim Advanced Settings

After doing some research online it looks like after upgrading the TLS Ciphers have changed between the old and new installation of cPanel. We can verify this by going to the WHM manager and checking the Exim settings.

WHM >> Service Configuration >> Exim Configuration Manager >> Advanced Editor

After clean install and account migration, the tls_require_ciphers and openssl_options is set to the following,

tls_require_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

however, on a server that is also running the same version of cPanel, but has gone through upgrades for the last couple of years has the following tls_require_ciphers setting

tls_require_ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

openssl_options = +no_sslv2 +no_sslv3

I reverted the new server back to the old settings and will have my customer test their emails being sent by the Sharp printer scanner to see if they are able to relay once again.

Updated March 8, 2020: Forgot to include openssl_options settings in addition the change on tls_require_ciphers, this is tested and works correctly for an older printer scanner.