TLS Library problem alert 42 - domain name does not match the server certificate - cyberpanel

Hello,

Don’t understand why it’s not working,

Jan 14 19:38:56 localhost postfix/submission/smtpd[397261]: connect from unknown[173.44.55.155]
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: SSL_accept error from unknown[173.44.55.155]: -1
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: lost connection after STARTTLS from unknown[173.44.55.155]
Jan 14 19:38:57 localhost postfix/submission/smtpd[397261]: disconnect from unknown[173.44.55.155] ehlo=1 starttls=0/1 commands=1/2
Jan 14 19:41:17 localhost dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>,

I did dns record A mail.domain.com to the server ip
I did mx record mail.domain.com to the server ip too

When I try to send a mail I have this pop up (domain name does not match the server’s certificate)
https:// prnt.sc/4OWj9c5gZsO9

updated to make it more clear, today dns are fully propagated and still have this error, waiting for a fix, this email is critical business for customer service… cyberpanel mail function should work 100% with any problem , otherwise it’s dangerous to use cyberpanel for critical apps, hope I can understand what is happening here :wink:

I didn’t make a try before with a non critical email because i was thinking this will work 100% in the first time without any error, for the next time i will use a test site for this purpose

what is the results of checktls?

checktls: command not found

What @shoaibkk means is you go to //email/testTo: and use any email address for your mailserver. Post the results here for support

1 Like

Ok thanks to clarify :wink:

Result :

Checking XXX@XXX.com from www12-do.checktls.com(V03.69.04) at 2023-01-16T15:17:49Z:

seconds lookup result
[000.000] DNS LOOKUPS
[000.008] SEARCHLIST 104.131.108.216,134.209.169.224,1.1.1.1,8.8.8.8,67.207.67.3
[000.052] MX (30) mail.XXX.com
[000.075] MX:A–>mail.XXX.com server-ip-removed
seconds test stage and result
[000.000] Trying TLS on mail.xxxx.com[server-ip-removed:25] (30)
[000.076] Server answered
[000.319] <‑‑ 220 xxxx.com ESMTP Postfix
[000.319] We are allowed to connect
[000.319] ‑‑> EHLO www12-do.checktls.com
[000.394] <‑‑ 250-xxxx.com
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
[000.394] We can use this server
[000.394] TLS is an option on this server
[000.394] ‑‑> STARTTLS
[000.469] <‑‑ 220 2.0.0 Ready to start TLS
[000.469] STARTTLS command works on this server
[000.561] Connection converted to SSL
SSLVersion in use: TLSv1_3
Cipher in use: TLS_AES_256_GCM_SHA384
Perfect Forward Secrecy: yes
Session Algorithm in use: Curve X25519 DHE(253 bits)
Certificate #1 of 1 (sent by MX):
Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED (mail.xxx.com = mail.xxx.com)
Not Valid Before: Jan 14 18:31:00 2023 GMT
Not Valid After: Jan 11 18:31:00 2033 GMT
subject: /C=US/ST=Denial/L=Springfield/O=Dis/CN=mail.xxx.com
issuer: /C=US/ST=Denial/L=Springfield/O=Dis/CN=mail.xxx.com
[000.565] ~~> EHLO www12-do.checktls.com
[000.710] <~~ 250-xxx.com
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
[000.711] TLS successfully started on this server
[000.711] ~~> MAIL FROM:test@checktls.com
[000.791] <~~ 250 2.1.0 Ok
[000.792] Sender is OK
[000.792] ~~> QUIT
[000.868] <~~ 221 2.0.0 Bye

Reissue mailserver ssl for mail.XXX.com

1 Like

I already did but this doesn’t work, still the problem, I try for mail.xxx.com and xxx.com (primary domain) like in the youtube video of cyperpanel team.

Check rDNS ptr record it should be mail.xxx.com this should be done where your dedicated server was purchased from. Add for both ipv4 and ipv6 ip addresses.

1 Like

On OVH we have a tab where we can add what they call “Secondary DNS”

Screenshot by Lightshot translation :

Add a domain

Add a secondary DNS to your dedicated server :

IP

Domain

Is that rDNS ptr ?

This is service provider specific kindly check their tutorial https://support.us.ovhcloud.com/hc/en-us/articles/360002181530-How-to-Configure-Reverse-DNS

1 Like

Thanks,

So we edit the reverse DNS and we put mail.xxx.com

We can only edit the IPv4 Reverse DNS and not the IPv6, there is no option to edit.

This reverse DNS will not put any problem in the future for our other wordpress site that run on the same server ?

We will install more mailbox after for other domain so mail.xxx.com is the first install , but there will be mail.xxx2.com mail.xxx3.com and mail.xxx4.com

We actually think that put the reverse dns to mail.xxx.com will maybe make us not possible to install correctly the futur mailbox for other wordpress site.

Testing :

So we did a test after editing the reverse DNS to mail.xxx.com,
The A Dns was fully propagated already, and like it’s explained we understand that the reverse DNS is instantly propagated after the setting in place.

We still have the same error :
Jan 17 09:28:07 localhost postfix/submission/smtpd[727258]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:

Thunderbird pop-up say :
This site tries to identify itself with invalid information.

Wrong site

The certificate belongs to a different site, which could indicate that someone is trying to impersonate this site.

Unknown identity

The certificate is not secure because it is impossible to verify that it was issued by a trusted authority using a secure signature.

(still same problem)

After this Pop up I can only quit, then a secondary pop up appear, this one say :

Sending the message failed.
The certificate is not secure because it is self-signed.
The configuration linked to mail.hecten.com must be corrected.

No the rDNS is for the mailserver, not to serve your websites

Apply this fix Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke then copy your mailserver domain and test it here SSL Checker if you get any errors there report back here

1 Like

1/ We test with the domain name xxx.com instead of mail.xxx.com and it works, no any problem.

2/ We still want to use mail.xxx.com because this is the best option if we want to change later our mail server.

So we did your fix again, we issued again the mail server ssl for mail.xxx.com
We test, we connect to our email, and when trying to send an email we are blocked by the pop-ups. Still the same problem.

The checking of ssl checker :

We check after the Check tls because we find that weird ssl checker say everything is fine, and on our side we have still the problem :

Follow this guide Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub

instead of mydomain.com use mail.mydomain.com e.g.

rm -f /etc/letsencrypt/live/mail.mydomain.com/privkey.pem && rm -f /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem

Skip this part Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub and do Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke

1 Like

we delete the file in mail.xxx.com and issue mail server ssl again for mail.xxx.com and we still have the same problem,

does it may come from the dns settings ?

we know that the
default._domainkey.
_domainkey.
_dmarc.

are all set on xxx.com and not for mail.xxx.com

maybe it come from that ? We didn’t think about it because the error seems more to be at the certificate level and not dns record.

Thanks

Do you have an A record for mail.xxxx.com?

1 Like

yes we set the A record for mail.xxx.com , this is fine propagated now, it point to the server ip of course

You are right. Exclude the DNS. Of course diabling tls on postfix is out of the question.

Let’s take matters into our own hands now. create a csr

cd /etc/postfix/ssl
openssl req -nodes -newkey rsa:2048 -keyout mail.xxxx.com.key -out mail.xxx.com.csr

Confirm /etc/postfix/main.cf has our new certificate and keychain and run service postfix reload

1 Like

Done,
edit the /etc/postfix/ssl folder wasn’t exist so we create it by mkdir ssl

after all done, we still have the problem