SMTP SSL Mismatch

Discussion in 'Installation/Configuration' started by Eliezer Ga, Feb 19, 2021.

  1. Eliezer Ga

    Eliezer Ga New Member

    Hi Team,

    We migrated the mailbox from 1 server to another, I configured the MX record, SPF, and Dkim with no issue, however, and we are getting SSL Mismatch.

    When I check the SSL Checker (https://www.sslshopper.com/ssl-checker.html) it shows this?
    upload_2021-2-19_16-6-50.png
    The smtp certificate that use is the certificate of the server web2.domain.com
    What do I need to do so that the smtp certificate matches to mail.domain.com?

    Thank you
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The test you did above does not test for the ssl cert that is used for smtp, as you can see in test result, it tested the ssl cert for apache, which is the web server and not email system.

    Besides that, the SSL checker you used can easily lead to false errors even if used for smtp as it can not know which domain must be in the cert. The SSL cert must match the hostname of the server, not the mail domain. You can get the hostname of the server with the command:

    hostname -f

    and that's the domain name that must be in the cert. In case you installed ISPConfig and selected to use a Let#s encrypt cert, then that's correct automatically as ISPConfig creates the cert based on the systems hostname.
     
  3. Eliezer Ga

    Eliezer Ga New Member

    That is what I understand also however when I configure my email in outlook and about to sync it shows this:
    upload_2021-2-19_16-24-22.png

    and when I view the certificate it shows this:
    upload_2021-2-19_16-26-33.png

    and in gmail i got this error:
    upload_2021-2-19_16-27-58.png

    Please let me know how can I fix this.
     
  4. Steini86

    Steini86 Active Member

    Your rDNS setting has to match your mailname (/etc/mailname) and the "myhostname" parameter in the postfix config file (/etc/postfix/main.cf). This should also be your ispconfig domain (for which ISPC gets its certificate). Additionally, your certificate needs to be valid for this domain and your mail client should connect to this domain.
    The used certificate is in /etc/postfix/smtpd.cert and /etc/postfix/smtpd.key. You can just create a symlink to the valid certificate of your mailname domain. However, this depends a bit on how you have created your certificate in the first place. Have you used the ispconfig 3.2 way to create an ispc certificate?
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  6. till

    till Super Moderator Staff Member ISPConfig Developer

    In addition to what @Steini86 and @Th0m posted, you must use the right server name in your mail client, which is the servers hostname and not a subdomain of any mail domain you might be using.
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It seems like you have a valid cert for web2.example.com (where example.com is your domain), so when connecting to that it should work already.
     
  8. Fire Fox

    Fire Fox New Member

    are you using ISPConfig in multi server?
    you can ssh from another server and check your mail server:
    Code:
    openssl s_client -connect mail.example.com:443
    make sure on DNS section it mention your mail server domain. if it is not, you need to create the certificate in that mail server. follow instruction in https://certbot.eff.org/lets-encrypt/ubuntufocal-other. it's so simple that they don't provide manual on this new edition LE.

    run this on your mail server, follow the instruction, and provide its domain. this using dns challenge so you must set your dns accordingly.
    Code:
    sudo certbot certonly --standalone
    next step, follow this thread https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ and follow the instruction on "Changing ISPConfig 3 Control Panel (Port 8080)" and "for postfix" section. your smtp is using the certificate you generated so take note where the certs are and link accordingly
     
    Last edited: Feb 20, 2021

Share This Page