seconds test stage and result
[000.000] Trying TLS on mail.domain.com[144.126.132.5:25] (10)
[000.032] Server answered
[000.212] < 220 mail.domain.com ESMTP Postfix
[000.212] We are allowed to connect
[000.212] > EHLO www11-do.CheckTLS.com
[000.243] < 250-mail.domain.com
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
[000.243] We can use this server
[000.243] TLS is an option on this server
[000.243] > STARTTLS
[000.273] < 220 2.0.0 Ready to start TLS
[000.273] STARTTLS command works on this server
[000.385] Connection converted to SSL
SSLVersion in use: TLSv1_3
Cipher in use: TLS_AES_256_GCM_SHA384
Perfect Forward Secrecy: yes
Certificate #1 of 4 (sent by MX): EXPIRED
Cert VALIDATION ERROR(S): certificate has expired
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED (mail.domain.com = mail.domain.com | DNS:mail.domain.com | DNS:www.mail.domain.com)
Not Valid Before: Jan 2 16:19:02 2022 GMT
Not Valid After: Apr 2 16:19:01 2022 GMT
subject= /CN=mail.domain.com
issuer= /C=US/O=Let's Encrypt/CN=R3
Certificate #2 of 4 (sent by MX):
Cert VALIDATED: ok
Not Valid Before: Sep 4 00:00:00 2020 GMT
Not Valid After: Sep 15 16:00:00 2025 GMT
subject= /C=US/O=Let's Encrypt/CN=R3
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate #3 of 4 (added from CA Root Store):
Cert VALIDATED: ok
Not Valid Before: Jun 4 11:04:38 2015 GMT
Not Valid After: Jun 4 11:04:38 2035 GMT
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate #4 of 4 (sent by MX):
Cert VALIDATED:
Not Valid Before: Jan 20 19:14:03 2021 GMT
Not Valid After: Sep 30 18:14:03 2024 GMT
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
[000.490] ~~> EHLO www11-do.CheckTLS.com
[000.519] <~~ 250-mail.domain.com
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
[000.519] TLS successfully started on this server
[000.519] ~~> MAIL FROM:<[email protected]>
[000.564] <~~ 250 2.1.0 Ok
[000.564] Sender is OK
[000.564] ~~> QUIT
[000.593] <~~ 221 2.0.0 Bye
Manually tried to install SSL specifically to mail.domain.com via terminal. Successfully done using command:
/root/.acme.sh/acme.sh --issue -d mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /home/domain.com/mail.domain.com -k ec-256 --force --server letsencrypt
Issued SSL via Cyber panel dashboard for mail server
added one more rewrite rule: #Force SSL for email
RewriteEngine On
RewriteCond %{HTTP_HOST} mail.domain-name.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mail.domain-name.com/$1 [R,L] #End Force SSL for email
Thunderbird starts showing signs it is alive. I can receive emails, but can’t send them.
Last error message: Sending of the message failed.
Unable to authenticate to Outgoing server (SMTP) mail.domain.com. Please check the password and verify the ‘Authentication method’ in ‘Account Settings | Outgoing server (SMTP)’.
finally I had to reenter all passwords for every email created in thunderbird in order for it to work.
Conclusion: there is something wrong here, why every three months do we have to do this? @usmannasir please fix this issue in the next update