How to fix email error ‘403 4.7.0 TLS handshake failed’ in cPanel, Plesk, Exim, Qmail, Exchange and SendMail servers
Debugging and fixing email errors is a common task we perform in our Outsourced Web Hosting Support services provided to shared server owners.
Among the common mail server errors, ‘403 4.7.0 TLS handshake failed’ error happens when a sender tries to send mail to a recipient using secure TLS protocol.
The error message that will be displayed to the sender is:
----- The following addresses had permanent fatal errors ----- <firstname.lastname@example.org> (reason: 403 4.7.0 TLS handshake failed.)
What is ‘403 4.7.0 TLS handshake failed’ error?
The error happens in mail servers that try to use TLS protocol for email transmission. TLS protocol is used for encrypting the data that is transmitted during email communication.
The sender and recipient mail servers have a set of public and private keys. These keys are used to encrypt and decrypt messages during the secure email transmission.
TLS ensures email encryption via a “handshake” protocol. During handshake, server authentication is done, cipher suites for encryption are matched and keys are shared between the two servers.
When this handshaking attempt fails during a secure email transmission, it shows the error message ‘403 4.7.0 TLS handshake failed’, to the sender.
What causes the error ‘403 4.7.0 TLS handshake failed’?
Handshaking for secure TLS transmission can fail due to these main reasons:
1. SSL certificate errors
For TLS secure transmission, the servers communicating with each other should have SSL certificates installed. These certificates can be self-signed or issued by a certificate authority (CA).
SSL certificates have a validity period, after which they would expire. So, if a mail server that was working fine with TLS suddenly starts giving error, it could be due to expired SSL certificate.
Mail servers can also have their own self-signed certificates. Since they are less trusted than the ones issued by an authority, some recipient servers may reject self-signed certificates.
The following message can show in the mail error logs:
TLS client disconnected cleanly (rejected our certificate?)
2. SSL protocol or cipher issues
While it is recommended that all servers should use the latest secure version of SSL protocol, some unmanaged servers may still be using the old protocols and weak ciphers.
SSLv2 and SSLv3 are old insecure protocols that are disabled in most secure servers due to their vulnerabilities. So servers that still have them configured, may not be secure.
Same case is noted with the use of Ciphers, the codes used for data encryption. For security purposes, weak ciphers such as RC4 should be disabled in the server.
Recipient mail servers that adopt secure TLS practices may not establish secure connection with insecure sender mail servers. Then the error ‘403 4.7.0 TLS handshake failed’ gets displayed.
3. SSL connection errors
SSL connectivity issues between the sender and recipient server can also lead to the error ‘403 4.7.0 TLS handshake failed’. Firewall settings or other network problems can cause this.
‘STARTTLS‘ is the command that initiates the TLS handshake and secure connection. To test if the TLS connectivity of a mail server is working fine, use the command:
openssl s_client -starttls smtp -connect host:port
By examining the results of this command, we can identify the connectivity issues or issues with the certificate or the TLS protocol.
4. MX record not resolving properly
Sometimes, it is possible that the sender mail server is unable to establish a connection with the recipient mail server, due to its MX records not resolving properly.
To verify if a mail server is resolving fine, use the command:
dig domain.com mx
If no results are obtained in the ‘ANSWER SECTION’, that means the MX record is not resolving and the sender would be unable to connect to the recipient.
5. Issues with e-mail client
Some versions of email client software such as CommuniGate Pro, InterChange, Eudora, etc. are reported to give errors when configured using TLS.
In those cases, sending mails from these email clients using TLS protocol would fail and give the error ‘403 4.7.0 TLS handshake failed’.
In commonly used mail clients such as Outlook, Thunderbird, Outlook Express, etc., if the SSL settings are not configured correctly, the TLS handshake will not work.
Bobcares provides Outsourced Hosting Support and Outsourced Server Management for online businesses. Our services include Hosting Support Services, server support, help desk support, live chat support and phone support.