habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Cannot start TLS: handshake failure

1 min read

The Zimbra log show error message “Cannot start TLS handshake” typically indicates an issue with establishing a secure TLS (Transport Layer Security) connection. This error often occurs in email-related services or applications that use TLS for secure communication. As a result, many email queues have piled up.

Nov 6 09:14:04 mail postfix/smtp[3328635]: 03AD6268188D: to=<[email protected]>, relay=seid-sharpworld-com02e.mail.protection.outlook.com [52.101.132.30]:25, dela y=86, delays=0.18/0.03/86/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)
Nov 6 09:14:04 mail postfix/smtp[3328635]: 03AD6268188D: to=<[email protected]>, relay-seid-sharpworld-com02e.mail.protection.outlook.com[52.101.132.30]:25, delay=86, delays=0.18/0.03/86/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

The latest version of Zimbra patch uses OpenSSL (3.0.x+) with FIPS configuration as the default. This is what causes the error above. To return to normal, FIPS must be disabled using the following steps:

Check Default Zimbra FIPS

Zimbra bring OpenSSL (3.0.x+) as default FIPS Configuration – Onward Patch Kepler 9.0.0.P34, Joule 8.8.15.P41, Daffodil 10.0.2. From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. But sometime if we have get into issues, disable it.

For check openssl list providers, type the command.

[root@mail ssl]# /opt/zimbra/common/bin/openssl list --providers

#result
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.9
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.0.9
    status: active

See Also: Zimbra Unable to start TLS: SSL connect attempt failed error

Jump to  /opt/zimbra/common/etc/ssl

As user root, chang to directory  /opt/zimbra/common/etc/ssl.

[root@mail]# cd /opt/zimbra/common/etc/ssl
[root@mail ssl]# pwd

#result PWD
/opt/zimbra/common/etc/ssl

Backup file openssl.cnf

Before backup, show list file in SSL folder.

[root@mail ssl]# ls -al
total 96
drwxr-xr-x 5 root root  4096 Oct  3 15:29 .
drwxr-xr-x 5 root root  4096 Jul  3 16:55 ..
drwxr-xr-x 2 root root  4096 Jul  3 16:55 certs
-rw-r--r-- 1 root root   412 Jul  3 16:55 ct_log_list.cnf
-rw-r--r-- 1 root root   412 Jul  3 16:55 ct_log_list.cnf.dist
-rw-r--r-- 1 root root   351 Oct  3 15:29 fipsmodule.cnf
drwxr-xr-x 2 root root  4096 Oct  3 15:29 misc
-rw-r--r-- 1 root root 12441 Jul  3 16:36 openssl.cnf
-rw-r--r-- 1 root root 12324 Jul  3 16:55 openssl.cnf.dist
-rw-r--r-- 1 root root 12441 Jul  3 16:36 openssl-fips.cnf
-rw-r--r-- 1 root root 12324 Jul  3 16:56 openssl-source.cnf
drwxr-xr-x 2 root root  4096 Jul  3 16:55 private

And then, make backup file openssl.cnf.

[root@mail ssl]# cp openssl.cnf /opt/openssl.cnf

Copy file openssl-source.cnf become openssl.cnf

before doing it, rename file openssl.cnf to openssl.cnf-bak. And then copy openssl-source.cnf become openssl.cnf

[root@mail ssl]# mv openssl.cnf openssl.cnf-bak
[root@mail ssl]# cp openssl-source.cnf openssl.cnf

Verify the FIPS provider is disabled.

[root@mail ssl]# /opt/zimbra/common/bin/openssl list --providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.9
    status: active

Restart service zimbra

su - zimbra
zmcontrol restart

Here is simple article how to solving Zimbra Cannot start TLS that caused by update patch zimbra. Hope itu usefull and please feel free for comment.


See also  Testing and Check Verified Expiration SSL from terminal
habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Relay Amazon SES

Zimbra is a widely used collaboration platform that provides robust email services. When it comes to improving email deliverability and ensuring the security of...
habibzain
1 min read

Install Zimbra 10 Ubuntu 20.04 from Scratch

Zimbra 10 may have had specific installation requirements, and there might be updates or changes beyond that point. Here is simple guide how to...
habibzain
4 min read

Build Zimbra 10 Open Source with zm-build in Ubuntu…

In the realm of open source email collaboration platforms, Zimbra 10 stands out as a powerful and feature rich solution for businesses seeking robust...
habibzain
2 min read

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox