banner

Blogs

Everything You Need To Know To Fix The Email Error ‘403 4.7.0 TLS Handshake Failed’ In Mail Servers.

  • September 28th, 2016
  • By Amal S
  • Blog
  • Have you ever confronted with an error message displaying “403 4.7.0 TLS handshake failed”. If you are a server administrator, you will be. Debugging and fixing of such email errors is common while providing Outsourced Web Hosting Support to a shared server owner. When a sender tries to transmit a mail to a recipient using secure TLS protocol, the 403 4.7.0 TLS handshake failed errors occurs. The log provides you insights on the error and way to resolve the issue.

    What is ‘403 4.7.0 TLS handshake failed’ error?

    TLS protocol, the encryption mechanism, ensures the security of data which is transmitted during email communication. The error ‘403 4.7.0 TLS handshake failed’ happens during this encrypted transmission. In TLS, the data encrypted using a set of public and private keys.

    In order to make the communication, a ‘handshake’ protocol needed to be followed. In handshake, along with the server authentication, the cipher suites are matched and keys are shared between the two servers. So the error happens when the handshake fails during an email transmission. The sender receives an error notification that shows ‘403 4.7.0 TLS handshake failed’.

    What really causes the 403 4.7.0 TLS handshake failed’ error?

    So what makes the handshaking a failure? The secure TLS transmission can fail due to the following reasons.

    SSL Certificate Errors

    Each server which is participating in TLS transmission has an SSL certificate installed. The certificates can be either self-signed or issued by a Certificate Authority (CA).

    Like any other certification, SSL certificate too has a validity period. So an expired certificate in a mail server could cause the handshake error. It is possible for the mail servers to have a self-signed certificate. Such certificates are less trusted than the ones issued by an authority. So it may also be the reason for handshake failure as some recipient servers reject self-signed certificates.

    The sender gets effort notification in their mail log like this,

    TLS client disconnected cleanly (rejected our certificate?)

    SSL protocol or cipher issues

    Keeping the latest version of SSL protocol provides security to the mail servers. Using old protocols and weak ciphers make the servers vulnerable to security threats. The protocols such SSLv2 and SSLv3 are outdated and disabled on secure servers. Even though some servers still keep them. Not only older protocols but the weak Ciphers too subjected to server security issues. For example, the weak ciphers such as RC4 are disabled in most of the servers due to security reasons. Certain mail servers will not accept connection with servers which keep old protocols and weak ciphers and thereby leads to the display of the handshake error.

    SSL connection errors

    The ‘Handshake’ error can also display due to the connectivity issues between the servers. It includes the backend firewall settings and other network problems. The command known as STARTTLS, which initiates TLS handshake and secure connection, is used to test the connectivity between servers. The code includes:

    openssl s_client -starttls smtp -connect host:port

    Issues with MX Records

    The connection between the sender mail server and the recipient mail server can be disrupted due to MX record issues. Such situations are likely to generate a ‘handshake error’. To check the MX recode issue, the command:

    dig domain.com mx

    Fixing of error ‘403 4.7.0 TLS handshake failed’ in various situations

    The remedy for handshake error differs according to the place where it occurs.

    In cPanel/WHM Exim servers

    The simplest way to resolve handshake error in cPanel or WHM is to disable the TLS security. It is not recommended due to some security concerns. So the issues are resolved using.

    • Renew the SSL certificate, if the error happened due to an expired certificate.
    • Edit the Exim configuration from the WHM to disable the old SSL protocol and to make the cipher strong.

    Click on ‘Home >> Service Configuration >> Exim Configuration Manager’.

    Enter the Cipher code in the tls_require_ciphers text box:

    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:!SSLv3

    In Exchange servers

    Here, in order to resolve the issue, certain manual procedures needed to be followed.

    • In order remove the error causing SSL certificate, right click “PROPERTIES” option on the default SMTP server followed by select ‘ACCESS – CERTIFICATE’.
    • The next step is to disable outdated protocols such as SSLv2 and SSLv3. Then enable protocols such TLS 1.1 or 1.2 which are secure and trustworthy.
    • Update the weak Cipher suites by strong ones.
    • To resolve the issue, rather than using TLS, the authentication method can be switched to a basic mode in exchange server.

    In Plesk Qmail servers

    As Plesk uses qmail server, the programs such as fixcrio which run along with qmail server can cause a TLS related error.

    The verification of TLS certificate and key files help to fix issues and the files are located on in /var/qmail/control/ directory.

    The qmail program for remote mail delivery is termed as qmail-remote. It is possible to define TLS settings for email delivery to definite recipients.

    In qmail-remote, the qmail program for remote mail delivery, TLS sessions can be controlled with the file ‘tlsdestinations’. Here, we can define the TLS settings for email delivery to specific recipients.

    In RedHat, CentOS and OpenSuse servers with Sendmail

    In servers such as RedHat, CentOS and OpenSuse with Sendmail, the recipient domain which has TLS connectivity error can be identified along with handshake error. Once you identified the issue edit the configuration file named “/etc/mail/access” and add the line:

    Try_TLS:domain.com NO

    After creating “/etc/mail/access” text file and editing it, use make a map create the database map.

    makemap hash /etc/mail/access.db < /etc/mail/access

    Restart the mail server and the email transmission will be fine without errors.

    In email clients such as Outlook Express and Thunderbird

    Proper configuration of the email client correctly is also important in secure email transmission. This can achieve in the following method.

    Thunderbird

    Edit – > Account Settings, from the Outgoing Server settings -> TLS (from user secure connection)

    Outlook Express

    Tools – > Accounts Select the mail account on Properties

    For outgoing mails,

    Go to Advance -> Select ‘Server requires Secure connections (SSL).

    Conclusion

    Understanding the error “403 4.7.0 TLS handshake failed” is crucial to prevent your server from stop working. The blog guides and make you confident to meet real-time TLS connectivity issues. The common issues which give rise to handshake error include the expired and unauthorized SSL certificates, outdated protocols and weak cipher sets and server connectivity issues. The impact of handshake error is different in a different server, so the solution also differs according to the server. The issue can be resolved only after understanding the server. As TLS is necessary to maintain security in server communication through encryption. So all the servers adopt different methods which never deny the TLS encryption.

    Recent Post

    Looking for a reliable 24/7 support provider?

    Contact US Today

    Contact Us