SSL for mail server not working properly

I can send/receive emails via Rainloop, but can’t do the same on my computer via Thunderbird email client.

Error on log: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 45:

Issued new certificates for domain and mail server. (no progress…)

Can anyone guide me how to sort this out?

Please check and show the results of //email/testTo:

1 Like
seconds		test stage and result
		
[000.000]		Trying TLS on mail.domain.com[144.126.132.5:25] (10)
[000.032]		Server answered
[000.212]	<   	220 mail.domain.com ESMTP Postfix
[000.212]		We are allowed to connect
[000.212]	  >	EHLO www11-do.CheckTLS.com
[000.243]	<   	250-mail.domain.com
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
[000.243]		We can use this server
[000.243]		TLS is an option on this server
[000.243]	  >	STARTTLS
[000.273]	<   	220 2.0.0 Ready to start TLS
[000.273]		STARTTLS command works on this server
[000.385]		Connection converted to SSL
		SSLVersion in use: TLSv1_3
		Cipher in use: TLS_AES_256_GCM_SHA384
		Perfect Forward Secrecy: yes
		Certificate #1 of 4 (sent by MX): EXPIRED
		Cert VALIDATION ERROR(S): certificate has expired
		So email is encrypted but the recipient domain is not verified
		Cert Hostname VERIFIED (mail.domain.com = mail.domain.com | DNS:mail.domain.com | DNS:www.mail.domain.com)
		Not Valid Before: Jan  2 16:19:02 2022 GMT
		Not Valid After: Apr  2 16:19:01 2022 GMT
		subject= /CN=mail.domain.com
		issuer= /C=US/O=Let's Encrypt/CN=R3
		Certificate #2 of 4 (sent by MX):
		Cert VALIDATED: ok
		Not Valid Before: Sep  4 00:00:00 2020 GMT
		Not Valid After: Sep 15 16:00:00 2025 GMT
		subject= /C=US/O=Let's Encrypt/CN=R3
		issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
		Certificate #3 of 4 (added from CA Root Store):
		Cert VALIDATED: ok
		Not Valid Before: Jun  4 11:04:38 2015 GMT
		Not Valid After: Jun  4 11:04:38 2035 GMT
		subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
		issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
		Certificate #4 of 4 (sent by MX):
		Cert VALIDATED: 
		Not Valid Before: Jan 20 19:14:03 2021 GMT
		Not Valid After: Sep 30 18:14:03 2024 GMT
		subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
		issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
[000.490]	~~>	EHLO www11-do.CheckTLS.com
[000.519]	<~~ 	250-mail.domain.com
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
[000.519]		TLS successfully started on this server
[000.519]	~~>	MAIL FROM:<test@checktls.com>
[000.564]	<~~ 	250 2.1.0 Ok
[000.564]		Sender is OK
[000.564]	~~>	QUIT
[000.593]	<~~ 	221 2.0.0 Bye

These steps solved a problem:

What I’ve tried:

  • Upgraded Cyber panel

  • Checked if mail.domain.com pointing to server IP

  • Manually tried to install SSL specifically to mail.domain.com via terminal. Successfully done using command:
    /root/.acme.sh/acme.sh --issue -d mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /home/domain.com/mail.domain.com -k ec-256 --force --server letsencrypt

  • Issued SSL via Cyber panel dashboard for mail server

  • added one more rewrite rule:
    #Force SSL for email
    RewriteEngine On
    RewriteCond %{HTTP_HOST} mail.domain-name.com [NC]
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://mail.domain-name.com/$1 [R,L]
    #End Force SSL for email

  • Thunderbird starts showing signs it is alive. I can receive emails, but can’t send them.

  • Last error message: Sending of the message failed.
    Unable to authenticate to Outgoing server (SMTP) mail.domain.com. Please check the password and verify the ‘Authentication method’ in ‘Account Settings | Outgoing server (SMTP)’.

  • finally I had to reenter all passwords for every email created in thunderbird in order for it to work.

Conclusion: there is something wrong here, why every three months do we have to do this?
@usmannasir please fix this issue in the next update

1 Like

This topic was automatically closed 3 hours after the last reply. New replies are no longer allowed.