Cannot Send Emails As via Gmail - SSL Certificate Mismatch

derekpadula · January 10, 2023, 3:51am

I can receive emails from my server via Gmail, but I cannot send emails as this address. The webmail works fine to receive emails and send them to Gmail. So why can’t Gmail send as?

I receive this error in Gmail:

Authentication failed. Please check your username/password.
Server returned error: “TLS Negotiation failed, the certificate doesn’t match the host., code: 550”

I have upgraded CyberPanel to the latest version. I have reissused SSL certificates to my main domain and to mail.domain, but it has not helped.

I am using mail.thedaoofdragonball.com
Port: 465
Username: my email
Password: the same password I use to log-in to webmail, which works
SSL
Port 465

I have tried every combination of Port number and SSL/TLS, without success.

Here are the test results from //email/testTo:

MX Server Pref Answer Connect HELO TLS Cert Secure From MTASTS DANE Score
ezmail.mail.thedaoofdragonball.com
[69.87.219.243:25] 10 OK
(40ms) OK
(137ms) OK
(40ms) OK
(40ms) FAIL OK
(526ms) OK
(70ms) not tested not tested 112.00
Average 100% 100% 100% 100% 0% 100% 100% 112

Certificate #1 of 4 (sent by MX):
Cert VALIDATED: ok
Cert Hostname DOES NOT VERIFY (ezmail.mail.thedaoofdragonball.com != mail.thedaoofdragonball.com | DNS:mail.thedaoofdragonball.com | DNS:www.mail.thedaoofdragonball.com)
So email is encrypted but the host is not verified
Not Valid Before: Jan 10 02:12:39 2023 GMT
Not Valid After: Apr 10 02:12:38 2023 GMT
subject: /CN=mail.thedaoofdragonball.com
issuer: /C=US/O=Let’s Encrypt/CN=R3

In another program I receive the following error:

Test Connection Failed!
Error : Connection could not be established with host mail.thedaoofdragonball.com :stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

The weirdest part is that it was working for 3 months, from Sept. 17, 2022, but then it stopped in late December, 2022. I figured that if I reissued the SSLs that it would start working again, but that didn’t fix it.

When reissuing SSLs to get email working, should I issue one on my domain.com AND on mail.domain.com, or just one or the other?

Does this issue have anything to do with the ezmail.mail subdomain? I do not have this subdomain in my CyberPanel, but it seems to be looking for it.

Any suggestions?

Edited to remove a : from a URL.

josephgodwinke · January 10, 2023, 4:23am

Happy New Year @derekpadula Happy you are here

It seems your MX record is ezmail.mail.thedaoofdragonball.com for your domain thedaoofdragonball.com, which is wrong.

Ideally it should be mail.thedaoofdragonball.com.

The mailserver ssl is issued to mail.thedaoofdragonball.com not ezmail.mail.thedaoofdragonball.com. Kindly change the MX DNS record for the domain thedaoofdragonball.com to mail.thedaoofdragonball.com and reissue mailserver ssl to mail.thedaoofdragonball.com

Ideally these issues should go away with that record change.

derekpadula · January 10, 2023, 5:38am

Changing my MX DNS from ezmail.mail to .mail improved the situation, but has not solved the problem. Now I receive this error in the email test:

Certificate #1 of 4 (sent by MX): EXPIRED
Cert VALIDATION ERROR(S): certificate has expired
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED (mail.thedaoofdragonball.com = mail.thedaoofdragonball.com | DNS:mail.thedaoofdragonball.com | DNS:www.mail.thedaoofdragonball.com)
Not Valid Before: Sep 11 04:14:37 2022 GMT
Not Valid After: Dec 10 04:14:36 2022 GMT
subject: /CN=mail.thedaoofdragonball.com
issuer: /C=US/O=Let’s Encrypt/CN=R3

You can see that the SSL is verified, but it says it’s expired. Yet I have reissued the SSL multiple times, to no avail.

Can you please explain to me why there are three buttons for the SSL Functions page under https://‘domain’/manageSSL/ ? They are MANAGE SSL, HOSTNAME SSL, and MAILSERVER SSL. I’m not sure which one I’m supposed to use for generating the new SSL. I’ve tried them all.

Perhaps on a related note, my CyberPanel admin is not secure, despite issuing a hostname SSL several times since I started my VPS in September. I wonder if these issues are related. Then again, everything worked fine for 3 months.

Can you please tell me the exact steps of which button to click and which SSL to reissue? I have dev., mail., and the actual domain.

Thank you, Joseph.

josephgodwinke · January 10, 2023, 6:43am

Cetainly the ssl certificate is not valid/expired. You will need to reissue the mailserver ssl. choose the domain mail.thedaoofdragonball.com i.e Go to CyberPanel admin panel → SSL → Mailserver SSL → mail.thedaoofdragonball.com = issue ssl

derekpadula · January 10, 2023, 7:15am

I followed your directions, but the results are the same.

According to CyberPanel, the SSL was issued successfully: “SSL Issued, your mail server now uses Lets Encrypt!” But when I run the test, it still fails. And I still cannot connect via Gmail: "Server returned error: “TLS Negotiation failed, the certificate doesn’t match the host., code: 550"”

Would it be possible to hire you or someone else in the community to enter my admin and fix the problem? I can create an account for you and DM you the details.

derekpadula · January 18, 2023, 12:25pm

I solved the problem with the help of josephgodwinke, after 8 days of effort. Here’s the solution for anyone else who comes across this problem.

The short answer is to select Email > Email Debugger in the sidebar menu of CyberPanel. Then click the big red button that resets everything related to emails. Wait until it’s done, and then connect to your SMTP via your email client, such as Gmail or Thunderbird, and it should work.

Follow this guide for more: 9 - How to Debug and Reset Email Settings using CyberPanel Cloud

The longer answer is that my mail.domain’s SSL certificate’s validation period was stuck in the past. It was issued on Sep 11 and was only valid until Dec. 10. Yet no matter how many times I reissued the SSL, including deleting the existing SSL certificate via FTP and then issuing a new one, my Gmail continued to produce the same error mentioned at the start of this post. I failed to connect over a hundred times, and Gmail’s terrible error message was repeatedly useless.

I only discovered the cause of the problem by connecting to my SMTP via Thunderbird, and then trying to send an email. I could connect just fine, which was surprising, but then an error came up when I tried to send the email, so I clicked for more info to read the SSL’s validity dates. Validity: “Not Before Sun, 11 Sep 2022 04:14:37 GMT” and "Not After Sat, 10 Dec 2022 04:14:36 GMT. Gmail never provided this info. So if you’re stuck, try Thunderbird.

You could also do this manually. Afterward, Joseph mentioned to me that “you can find acme.sh and purge all the ecc keys and certificates for mail subdomain, and then reissue new ecc certificates the manual way.” Thankfully, CyberPanel’s Email Debugger does this as part of the reset process. But if you don’t have CyberPanel Cloud, then try the manual method.

If the CyberPanel developers read this post (@usmannasir), please set up a notification explaining that the new SSL certificate is still using the old expiration date, and that an email process needs to be reset. Then recommend that the user hit the reset button. Or instead of the nuclear option, send them to whatever process will reset that validity period. I feel like this should automatically be done as part of a new SSL certificate being issued for .mail subdomains. That way, other people won’t have to waste their time and energy (and stress!) to discover this.

Hopefully I won’t have to repeat this process in another 90 days. But if I do, it should be as simple as a click of that button.

Dreamer · January 18, 2023, 2:13pm

@usmannasir @shoaibkk @josephgodwinke I think this is exactly same issue I made bug report months ago. This same issue comes back every 90day

josephgodwinke · January 18, 2023, 2:46pm

[BUG] SMTP certificate verify failing. · Issue #971 · usmannasir/cyberpanel · GitHub @usmannasir should probably explain what he meant by this

usmannasir · January 26, 2023, 4:58am

How about /email/listEmails

By clicking Fix Now as it will re-read SSL certificates for mail server.

usmannasir · January 26, 2023, 5:31am

Also check [BUG] Mail server SSL fail update · Issue #1019 · usmannasir/cyberpanel · GitHub

Dreamer · May 23, 2023, 2:31pm

@usmannasir I still get this issue when certificate renews.

fayssal · June 22, 2023, 1:33am

the same problem Mail server SSL fail to update automatically. smtp stopped working.
please me to solve this issue.

mad_rock · July 8, 2024, 8:59am

hi, I have the same issue. I don’t have email debugger add-on. How can i implement the command on the server?

derekpadula · July 8, 2024, 3:07pm

Sorry, but I don’t know. My suspicion is that you will have to research how to manually reset the date by which the SSL certificate thinks it has been issued. Because the problem was that, even though you issued a new SSL certificate, the date that it thinks it was issued on wasn’t getting refreshed. This meant that the old date was still in the system, and thus the new certificate was listed as expired. The only solution was clicking that button in CyberPanel and nuking the entire system. But I have no idea what that button does on the server in terms of commands, and it has never been explained here. Someone else will have to assist you.

I stopped using CyberPanel and Litespeed, in part because of issues like this. I switched to Virtualmin and Nginx. There are a multitude of other problems, but this isn’t one of them. In general, this combo has been better for me.