Hello,
Don’t understand why it’s not working,
Jan 14 19:38:56 localhost postfix/submission/smtpd[397261]: connect from unknown[173.44.55.155]
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: SSL_accept error from unknown[173.44.55.155]: -1
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: lost connection after STARTTLS from unknown[173.44.55.155]
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: disconnect from unknown[173.44.55.155] ehlo=1 starttls=0/1 commands=1/2
Jan 14 19:41:17 localhost dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>,
I did dns record A mail.domain.com to the server ip
I did mx record mail.domain.com to the server ip too
When I try to send a mail I have this pop up (domain name does not match the server’s certificate)
https:// prnt.sc/4OWj9c5gZsO9
updated to make it more clear, today dns are fully propagated and still have this error, waiting for a fix, this email is critical business for customer service… cyberpanel mail function should work 100% with any problem , otherwise it’s dangerous to use cyberpanel for critical apps, hope I can understand what is happening here 
I didn’t make a try before with a non critical email because i was thinking this will work 100% in the first time without any error, for the next time i will use a test site for this purpose
what is the results of checktls?
checktls: command not found
…
What @shoaibkk means is you go to //email/testTo: and use any email address for your mailserver. Post the results here for support
1 Like
Ok thanks to clarify
Result :
Checking [email protected] from www12-do.checktls.com(V03.69.04) at 2023-01-16T15:17:49Z:
| seconds |
|
lookup |
result |
| [000.000] |
|
DNS LOOKUPS |
|
| [000.008] |
|
SEARCHLIST |
104.131.108.216,134.209.169.224,1.1.1.1,8.8.8.8,67.207.67.3 |
| [000.052] |
|
MX |
(30) mail.XXX.com
|
| [000.075] |
|
MX:A–>mail.XXX.com
|
server-ip-removed |
| seconds |
|
test stage and result |
| [000.000] |
|
Trying TLS on mail.xxxx.com[server-ip-removed:25] (30) |
| [000.076] |
|
Server answered |
| [000.319] |
<‑‑ |
220 xxxx.com ESMTP Postfix |
| [000.319] |
|
We are allowed to connect |
| [000.319] |
‑‑> |
EHLO www12-do.checktls.com
|
| [000.394] |
<‑‑ |
250-xxxx.com |
| 250-PIPELINING |
|
|
| 250-SIZE 30720000 |
|
|
| 250-ETRN |
|
|
| 250-STARTTLS |
|
|
| 250-AUTH PLAIN |
|
|
| 250-AUTH=PLAIN |
|
|
| 250-ENHANCEDSTATUSCODES |
|
|
| 250-8BITMIME |
|
|
| 250-DSN |
|
|
| 250 CHUNKING |
|
|
| [000.394] |
|
We can use this server |
| [000.394] |
|
TLS is an option on this server |
| [000.394] |
‑‑> |
STARTTLS |
| [000.469] |
<‑‑ |
220 2.0.0 Ready to start TLS |
| [000.469] |
|
STARTTLS command works on this server |
| [000.561] |
|
Connection converted to SSL |
|
|
SSLVersion in use: TLSv1_3 |
|
|
Cipher in use: TLS_AES_256_GCM_SHA384 |
|
|
Perfect Forward Secrecy: yes |
|
|
Session Algorithm in use: Curve X25519 DHE(253 bits) |
|
|
Certificate #1 of 1 (sent by MX): |
|
|
Cert VALIDATION ERROR(S): self signed certificate |
|
|
So email is encrypted but the recipient domain is not verified |
|
|
Cert Hostname VERIFIED (mail.xxx.com = mail.xxx.com) |
|
|
Not Valid Before: Jan 14 18:31:00 2023 GMT |
|
|
Not Valid After: Jan 11 18:31:00 2033 GMT |
|
|
subject: /C=US/ST=Denial/L=Springfield/O=Dis/CN=mail.xxx.com
|
|
|
issuer: /C=US/ST=Denial/L=Springfield/O=Dis/CN=mail.xxx.com
|
| [000.565] |
~~> |
EHLO www12-do.checktls.com
|
| [000.710] |
<~~ |
250-xxx.com |
| 250-PIPELINING |
|
|
| 250-SIZE 30720000 |
|
|
| 250-ETRN |
|
|
| 250-AUTH PLAIN |
|
|
| 250-AUTH=PLAIN |
|
|
| 250-ENHANCEDSTATUSCODES |
|
|
| 250-8BITMIME |
|
|
| 250-DSN |
|
|
| 250 CHUNKING |
|
|
| [000.711] |
|
TLS successfully started on this server |
| [000.711] |
~~> |
MAIL FROM:[email protected]
|
| [000.791] |
<~~ |
250 2.1.0 Ok |
| [000.792] |
|
Sender is OK |
| [000.792] |
~~> |
QUIT |
| [000.868] |
<~~ |
221 2.0.0 Bye |
Reissue mailserver ssl for mail.XXX.com
1 Like
I already did but this doesn’t work, still the problem, I try for mail.xxx.com and xxx.com (primary domain) like in the youtube video of cyperpanel team.
Check rDNS ptr record it should be mail.xxx.com this should be done where your dedicated server was purchased from. Add for both ipv4 and ipv6 ip addresses.
1 Like
On OVH we have a tab where we can add what they call “Secondary DNS”
Screenshot by Lightshot translation :
Add a domain
Add a secondary DNS to your dedicated server :
IP
…
Domain
…
Is that rDNS ptr ?
Thanks,
So we edit the reverse DNS and we put mail.xxx.com
We can only edit the IPv4 Reverse DNS and not the IPv6, there is no option to edit.
This reverse DNS will not put any problem in the future for our other wordpress site that run on the same server ?
We will install more mailbox after for other domain so mail.xxx.com is the first install , but there will be mail.xxx2.com mail.xxx3.com and mail.xxx4.com
We actually think that put the reverse dns to mail.xxx.com will maybe make us not possible to install correctly the futur mailbox for other wordpress site.
Testing :
So we did a test after editing the reverse DNS to mail.xxx.com,
The A Dns was fully propagated already, and like it’s explained we understand that the reverse DNS is instantly propagated after the setting in place.
We still have the same error :
Jan 17 09:28:07 localhost postfix/submission/smtpd[727258]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:
Thunderbird pop-up say :
This site tries to identify itself with invalid information.
Wrong site
The certificate belongs to a different site, which could indicate that someone is trying to impersonate this site.
Unknown identity
The certificate is not secure because it is impossible to verify that it was issued by a trusted authority using a secure signature.
(still same problem)
After this Pop up I can only quit, then a secondary pop up appear, this one say :
Sending the message failed.
The certificate is not secure because it is self-signed.
The configuration linked to mail.hecten.com must be corrected.
No the rDNS is for the mailserver, not to serve your websites
Apply this fix Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke then copy your mailserver domain and test it here SSL Checker if you get any errors there report back here
1 Like
1/ We test with the domain name xxx.com instead of mail.xxx.com and it works, no any problem.
2/ We still want to use mail.xxx.com because this is the best option if we want to change later our mail server.
So we did your fix again, we issued again the mail server ssl for mail.xxx.com
We test, we connect to our email, and when trying to send an email we are blocked by the pop-ups. Still the same problem.
The checking of ssl checker :
We check after the Check tls because we find that weird ssl checker say everything is fine, and on our side we have still the problem :
we delete the file in mail.xxx.com and issue mail server ssl again for mail.xxx.com and we still have the same problem,
does it may come from the dns settings ?
we know that the
default._domainkey.
_domainkey.
_dmarc.
are all set on xxx.com and not for mail.xxx.com
maybe it come from that ? We didn’t think about it because the error seems more to be at the certificate level and not dns record.
Thanks
Do you have an A record for mail.xxxx.com?
1 Like
yes we set the A record for mail.xxx.com , this is fine propagated now, it point to the server ip of course
You are right. Exclude the DNS. Of course diabling tls on postfix is out of the question.
Let’s take matters into our own hands now. create a csr
cd /etc/postfix/ssl
openssl req -nodes -newkey rsa:2048 -keyout mail.xxxx.com.key -out mail.xxx.com.csr
Confirm /etc/postfix/main.cf has our new certificate and keychain and run service postfix reload
1 Like
Done,
edit the /etc/postfix/ssl folder wasn’t exist so we create it by mkdir ssl
after all done, we still have the problem