23 March 2021

When you send an email your email client (Mail User Agent) connects to the mail server. This article describes the most common connection errors, and how to fix them.

Connection time-outs

The most common error we see are connection time-outs. When a time-out happens an email client can’t connect to the mail server at all. This may be because the outgoing server name is incorrect or because there is a DNS issue. More commonly, the issue is that the server has blocked the user’s IP address.

Most of our servers are configured to block an IP address if there are five failed logins in an hour. This stops brute-force attacks on email accounts, but unfortunately it sometimes blocks genuine users as well. Often, this happens when an email password is changed. If the password isn’t changed in the email client(s) used for the email address straight-away then there are likely to be a handful of failed logins.

You can unblock an IP address in WHM via Plugins » ConfigServer Security & Firewall. Alternatively, you can use the csf command line utility:

# csf -a 12.34.56.78

SMTP AUTH is required for message submission on port 587

The error SMTP AUTH is required for message submission on port 587 indicates that the email client has been configured incorrectly. All our servers require users to connect securely to the mail server. That means that you need to use either port 465 or 587 for SMTP and that both authentication and SSL/TLS need to be enabled.

This error often happens because SSL/TLS hasn’t been enabled in the email client. For instance, when you use port 587 the client issues the STARTTLS command to negotiate a secure connection with the server. That only works if the client is configured to use SSL/TLS. Without SSL/TLS, the email client effectively asks the server if it’s okay to send the username and password in plain text. In response, the computer says ‘no’.

550 Please turn on SMTP Authentication in your mail client

Another fairly common error is Please turn on SMTP Authentication in your mail client. The reason for that error is typically that the email client uses port 25 for SMTP. This port doesn’t support encrypted connections and the server will therefore reject the connection.

In WHM there are two settings under Service Configuration » Exim Configuration Manager that enforce secure connections. The main setting is Require clients to connect with SSL or issue the STARTTLS command before they authenticate with the server. The setting is on by default.

The second setting is POP-before-SMTP, which is hidden under Server Configuration » Tweak Settings » Mail. The setting allows users to use SMTP if they made a valid IMAP or POP3 login in the last hour. This bypasses any issues with sending emails if the user can receive emails. The setting is off by default, and enabling it is not recommended.

535 Incorrect authentication data

The error Incorrect authentication data means that the login failed because the username and/or password was incorrect. This are mostly password errors, but it can be the username.

As the username is included in log entries it’s easy enough the verify if the username was correct. One thing to look out for are minor typos in the email address. For instance, some email clients let you enter an email address with a leading or trailing space:

2021-03-16 12:00:00 dovecot_plain_authenticator failed for ([12.34.56.78]) [12.34.56.78]:37803: 535 Incorrect authentication data (set_id="mail@example.com ")

TLS error on connection

If the client uses an operating system and/or email client that doesn’t support current TLS standards then the server refuses the connection. In the logs the error will look like this:

2021-03-16 12:00:00 TLS error on connection from [12.34.56.78]:12770 (SSL_accept): error:1408A0C1: SSL routines:ssl3_get_client_hello:no shared cipher
2021-03-16 12:00:00 TLS error on connection from [12.34.56.78]:12770 (SSL_accept): error:1470760FC: SSL23_GET_CLIENT_HELLO:unknown protocol

The supported TLS versions and ciphers can be configured in WHM via Service Configuration » Exim Configuration Manager. As at March 2021 the supported TLS versions on our servers are 1.2 and 1.3. The old SSL protocols and TLS versions 1.0 and 1.1 are disabled.