The Zimbra log show error message “Cannot start TLS handshake” typically indicates an issue with establishing a secure TLS (Transport Layer Security) connection. This error often occurs in email-related services or applications that use TLS for secure communication. As a result, many email queues have piled up.
Nov 6 09:14:04 mail postfix/smtp[3328635]: 03AD6268188D: to=<[email protected]>, relay=seid-sharpworld-com02e.mail.protection.outlook.com [52.101.132.30]:25, dela y=86, delays=0.18/0.03/86/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)
Nov 6 09:14:04 mail postfix/smtp[3328635]: 03AD6268188D: to=<[email protected]>, relay-seid-sharpworld-com02e.mail.protection.outlook.com[52.101.132.30]:25, delay=86, delays=0.18/0.03/86/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)
The latest version of Zimbra patch uses OpenSSL (3.0.x+) with FIPS configuration as the default. This is what causes the error above. To return to normal, FIPS must be disabled using the following steps:
Check Default Zimbra FIPS
Zimbra bring OpenSSL (3.0.x+) as default FIPS Configuration – Onward Patch Kepler 9.0.0.P34, Joule 8.8.15.P41, Daffodil 10.0.2. From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. But sometime if we have get into issues, disable it.
For check openssl list providers, type the command.
[root@mail ssl]# /opt/zimbra/common/bin/openssl list --providers
#result
Providers:
default
name: OpenSSL Default Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active
See Also: Zimbra Unable to start TLS: SSL connect attempt failed error
Jump to /opt/zimbra/common/etc/ssl
As user root, chang to directory /opt/zimbra/common/etc/ssl.
[root@mail]# cd /opt/zimbra/common/etc/ssl
[root@mail ssl]# pwd
#result PWD
/opt/zimbra/common/etc/ssl
Backup file openssl.cnf
Before backup, show list file in SSL folder.
[root@mail ssl]# ls -al
total 96
drwxr-xr-x 5 root root 4096 Oct 3 15:29 .
drwxr-xr-x 5 root root 4096 Jul 3 16:55 ..
drwxr-xr-x 2 root root 4096 Jul 3 16:55 certs
-rw-r--r-- 1 root root 412 Jul 3 16:55 ct_log_list.cnf
-rw-r--r-- 1 root root 412 Jul 3 16:55 ct_log_list.cnf.dist
-rw-r--r-- 1 root root 351 Oct 3 15:29 fipsmodule.cnf
drwxr-xr-x 2 root root 4096 Oct 3 15:29 misc
-rw-r--r-- 1 root root 12441 Jul 3 16:36 openssl.cnf
-rw-r--r-- 1 root root 12324 Jul 3 16:55 openssl.cnf.dist
-rw-r--r-- 1 root root 12441 Jul 3 16:36 openssl-fips.cnf
-rw-r--r-- 1 root root 12324 Jul 3 16:56 openssl-source.cnf
drwxr-xr-x 2 root root 4096 Jul 3 16:55 private
And then, make backup file openssl.cnf
.
[root@mail ssl]# cp openssl.cnf /opt/openssl.cnf
Copy file openssl-source.cnf become openssl.cnf
before doing it, rename file openssl.cnf
to openssl.cnf-bak
. And then copy openssl-source.cnf
become openssl.cnf
[root@mail ssl]# mv openssl.cnf openssl.cnf-bak
[root@mail ssl]# cp openssl-source.cnf openssl.cnf
Verify the FIPS provider is disabled.
[root@mail ssl]# /opt/zimbra/common/bin/openssl list --providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.9
status: active
Restart service zimbra
su - zimbra
zmcontrol restart
Here is simple article how to solving Zimbra Cannot start TLS that caused by update patch zimbra. Hope itu usefull and please feel free for comment.