No peer certificate available for SMTP

1

Hello, I’m having a configuration problem, I understand, but I can’t find the solution. Could someone please help me?

We updated Hestia to the latest version, and after that, we had several problems that we were able to resolve through forum posts. However, I can’t seem to solve this latest issue.

When clients try to authenticate from any SMTP email client, they receive a message stating that there is no valid certificate.

If I run commands in Debian 11 I get these responses:

openssl s_client -connect mail.areteworkers.com:587 -starttls smtp -servername mail.areteworkers.com

Return:

CONNECTED(00000003)

139634558342464:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 261 bytes and written 356 bytes

Verification: OK

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

And it can’t find SMTP via Telnet.

telnet mail.areteworkers.com 587

Return:

Trying 37.153.92.116…Connected to mail.areteworkers.com.

Escape character is ‘^]’.

220 mail.areteworkers.com

Does anyone have any idea what might be misconfigured?

2

Hi,

From which Hestia version did you update? What’s the OS version?

Show the output of these commands:

dpkg -l | grep -i exim
ls -la /etc/exim4/
grep tls_ /etc/exim4/exim4.conf.template

Note: Don’t try to issue new certificates for the mail domain in Hestia. You’ve already issued four in the last four days, and you could reach Let’s Encrypt limits.

3

That’s ok.

❯ telnet mail.areteworkers.com 587
Trying 37.153.92.116...
Connected to mail.areteworkers.com.
Escape character is '^]'.
220 mail.areteworkers.com
ehlo example.com
250-mail.areteworkers.com Hello 1.red-203-0-113.staticip.rima-tde.net [203.0.113.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250 HELP
4

Hi,

Command returns:

ii  exim4                              4.94.2-7+deb11u4                                   all          metapackage to ease Exim MTA (v4) installation
ii  exim4-base                         4.94.2-7+deb11u4                                   amd64        support files for all Exim MTA (v4) packages
ii  exim4-config                       4.94.2-7+deb11u4                                   all          configuration for the Exim MTA (v4)
ii  exim4-daemon-heavy                 4.94.2-7+deb11u4                                   amd64        Exim MTA (v4) daemon with extended features, including exiscan-acl
total 120
drwxr-xr-x   4 root root         4096 Apr 15 19:08 .
drwxr-xr-x 100 root root         4096 Apr 15 18:11 ..
drwxr-xr-x   9 root root         4096 Nov  1  2021 conf.d.disabled
-rw-r--r--   1 root root          469 Nov  6  2021 deny_senders
-rw-r--r--   1 root root           32 Nov  1  2021 dnsbl.conf
drwxr-xr-x   2 root root         4096 Apr 15 10:07 domains
-rw-r-----   1 root root        20568 Apr 15 19:13 exim4.conf.template
-rw-r-----   1 root root        20568 Apr 14 21:57 exim4.conf.template.orig
-rw-r--r--   1 root root          718 Apr 14 21:57 exim4.conf.template.rej
-rw-r-----   1 root root        21915 Apr 15 19:13 exim4.conf.template.vst.back
-rw-r--r--   1 root root            4 Apr 14 21:57 limit.conf
-rw-r-----   1 root Debian-exim   204 Jul 13  2021 passwd.client
-rw-r--r--   1 root root           84 Nov  6  2021 send_limits
-rw-r--r--   1 root root            0 Nov  1  2021 spam-blocks.conf
-rw-r--r--   1 root root          444 Apr 14 21:57 system.filter
-rw-r--r--   1 root root         1038 Apr 15 18:51 update-exim4.conf.conf
-rw-r--r--   1 root root            0 Nov  1  2021 white-blocks.conf
log_selector = +tls_sni
tls_advertise_hosts = *
# We test that $tls_in_sni is a valid domain, by an arbitrary email address [email protected] .
tls_certificate = \
                     { eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
                     { exists{/usr/local/hestia/ssl/mail/$tls_in_sni.crt} }\
                 {/usr/local/hestia/ssl/mail/$tls_in_sni.crt}\
tls_privatekey = \
                     { eq {${domain:foo@$tls_in_sni}} {$tls_in_sni}}\
                     { exists{/usr/local/hestia/ssl/mail/$tls_in_sni.key} }\
                 {/usr/local/hestia/ssl/mail/$tls_in_sni.key}\
tls_on_connect_ports = 465
tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE

The previous version was 1.8.4 in Debian 11.

5

Outputs look good.

Note: Next time don’t use blockquote to format the output, instead, select the pasted text and click on button </> or use Ctrl+E.

Show the output of these commands:

ls -la /etc/exim4/domains/areteworkers.com/ssl/
systemctl status exim4 --no-pager -l
tail /var/log/exim4/mainlog
tail /var/log/exim4/paniclog
6

I I thought that because the 220 line wasn’t present, the complete ESMTP protocol wasn’t being recognized.

220 mail.areteworkers.com ESMTP Exim

But it’s still returning an error to Mac Mail clients. Although in that case, it’s sometimes because they have to delete and recreate the account. But just to rule out errors.

7

Returns:

total 24
drwxr-x--- 2 Debian-exim mail 4096 Apr 15 17:03 .
drwxrwx--x 3 Debian-exim mail 4096 Apr 15 17:03 ..
-rw-r--r-- 1 arete2      mail 1801 Apr 15 17:03 areteworkers.com.ca
-rw-r--r-- 1 arete2      mail 2179 Apr 15 17:03 areteworkers.com.crt
-rw-r--r-- 1 arete2      mail 3243 Apr 15 17:03 areteworkers.com.key
-rw-r--r-- 1 arete2      mail 3981 Apr 15 17:03 areteworkers.com.pem
● exim4.service - LSB: exim Mail Transport Agent
     Loaded: loaded (/etc/init.d/exim4; generated)
     Active: active (running) since Wed 2026-04-15 19:13:28 CEST; 1h 14min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 15314 ExecStart=/etc/init.d/exim4 start (code=exited, status=0/SUCCESS)
      Tasks: 1 (limit: 9393)
     Memory: 13.8M
        CPU: 1.310s
     CGroup: /system.slice/exim4.service
             └─15562 /usr/sbin/exim4 -bd -q30m

Apr 15 19:13:28 owncloud-debian11 systemd[1]: exim4.service: Succeeded.
Apr 15 19:13:28 owncloud-debian11 systemd[1]: Stopped LSB: exim Mail Transport Agent.
Apr 15 19:13:28 owncloud-debian11 systemd[1]: Starting LSB: exim Mail Transport Agent...
Apr 15 19:13:28 owncloud-debian11 exim4[15314]: Starting MTA: exim4.
Apr 15 19:13:28 owncloud-debian11 exim4[15314]: ALERT: exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken
Apr 15 19:13:28 owncloud-debian11 systemd[1]: Started LSB: exim Mail Transport Agent.
2026-04-15 20:25:03 dovecot_login authenticator failed for (User) [213.177.179.107]: 535 Incorrect authentication data ([email protected])
2026-04-15 20:25:34 no host name found for IP address 213.177.179.107
2026-04-15 20:25:37 dovecot_login authenticator failed for (User) [213.177.179.107]: 535 Incorrect authentication data ([email protected])
2026-04-15 20:26:22 TLS error on connection from mail95.euc1.acems1.com [217.8.118.95] (cert/key setup: cert=/usr/local/hestia/ssl/certificate.crt key=/usr/local/hestia/ssl/certificate.key): Error while reading file.
2026-04-15 20:26:25 TLS error on connection from mail95.euc1.acems1.com [217.8.118.95] (cert/key setup: cert=/usr/local/hestia/ssl/certificate.crt key=/usr/local/hestia/ssl/certificate.key): Error while reading file.
2026-04-15 20:26:28 TLS error on connection from mail97.euc1.acems1.com [217.8.118.97] (cert/key setup: cert=/usr/local/hestia/ssl/certificate.crt key=/usr/local/hestia/ssl/certificate.key): Error while reading file.
2026-04-15 20:26:36 no host name found for IP address 213.177.179.107
2026-04-15 20:26:39 dovecot_login authenticator failed for (User) [213.177.179.107]: 535 Incorrect authentication data ([email protected])
2026-04-15 20:26:53 no host name found for IP address 213.177.179.107
2026-04-15 20:26:56 dovecot_login authenticator failed for (User) [213.177.179.107]: 535 Incorrect authentication data ([email protected])
2026-04-15 18:55:29 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 18:57:49 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 18:59:04 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 18:59:43 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 19:01:00 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 19:06:13 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 19:06:55 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 19:09:08 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 19:11:05 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
2026-04-15 19:11:54 failed to open /etc/exim4/block_address when checking "/etc/exim4/block_address": No such file or directory
8

It usually should work fine but some clients could not work as expected. Indeed, I created this PR a few months ago to add ESMTP to the banner.

https://github.com/hestiacp/hestiacp/pull/5140

touch /etc/exim4/block_address
systemctl restart exim4

And try again.

9

Time for dinner, I’ll be back in a couple of hours :wink:

10

I’ve seen both commits, but after running the commands I’m still getting the same result:

root@debian11:/# openssl s_client -connect mail.areteworkers.com:587 -starttls smtp -servername mail.areteworkers.com
CONNECTED(00000003)
140465982330176:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 261 bytes and written 356 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
root@debian11:/# telnet mail.areteworkers.com 587
Trying 37.153.92.116...
Connected to mail.areteworkers.com.
Escape character is '^]'.
220 mail.areteworkers.com

Thanks for everything, I’ll have to have something to eat too.

See you later.

11

Please, send to me the Exim’s conf and logs

Note: If you don’t have netcat installed: apt install netcat-openbsd

cat /etc/exim4/exim4.conf.template | nc p.27a.net 9999
tail -n 500 /var/log/exim4/mainlog | nc p.27a.net 9999
tail -n 500 /var/log/exim4/paniclog | nc p.27a.net 9999
12

I already ran the command and it didn’t return anything…
I also previously installed netcat-openbsd.

13

You must run the commands one by one.

14

Already

15

You should get an url after every command. Are you blocking outgoing port 9999?

16

It’s possible the server or the server provider is blocking it. It’s not a standard port.

17

Then you should upload the outputs to some site like pastebin or similar.

18

So, you want me to send you the entire log to check for errors and error descriptions?

Okay, if that’s the case, I can put the files in an accessible location and send you the links; that’s no problem. First thing tomorrow morning; I’m going to rest now.

1 Like
19

Good morning.

Show also the output of these commands:

ls -la /usr/local/hestia/ssl/mail/

And debug what Exim does when it receives STARTTLS:

exim -d+tls -bh 127.0.0.1

When you get a blank line using the command write:

EHLO test
STARTTLS

CTRL+C to close the session with Exim.

20

Good morning.

Send you links por files:

https://publicfile.eclipseinformatica.com/mainlog.txt

https://publicfile.eclipseinformatica.com/paniclog.txt