Check rDNS ptr record it should be mail.xxx.com this should be done where your dedicated server was purchased from. Add for both ipv4 and ipv6 ip addresses.
On OVH we have a tab where we can add what they call “Secondary DNS”
Screenshot by Lightshot translation :
Add a domain
Add a secondary DNS to your dedicated server :
Is that rDNS ptr ?
This is service provider specific kindly check their tutorial https://support.us.ovhcloud.com/hc/en-us/articles/360002181530-How-to-Configure-Reverse-DNS
So we edit the reverse DNS and we put mail.xxx.com
We can only edit the IPv4 Reverse DNS and not the IPv6, there is no option to edit.
This reverse DNS will not put any problem in the future for our other wordpress site that run on the same server ?
We actually think that put the reverse dns to mail.xxx.com will maybe make us not possible to install correctly the futur mailbox for other wordpress site.
So we did a test after editing the reverse DNS to mail.xxx.com,
The A Dns was fully propagated already, and like it’s explained we understand that the reverse DNS is instantly propagated after the setting in place.
We still have the same error :
Jan 17 09:28:07 localhost postfix/submission/smtpd: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:
Thunderbird pop-up say :
This site tries to identify itself with invalid information.
The certificate belongs to a different site, which could indicate that someone is trying to impersonate this site.
The certificate is not secure because it is impossible to verify that it was issued by a trusted authority using a secure signature.
(still same problem)
After this Pop up I can only quit, then a secondary pop up appear, this one say :
Sending the message failed.
The certificate is not secure because it is self-signed.
The configuration linked to mail.hecten.com must be corrected.
No the rDNS is for the mailserver, not to serve your websites
Apply this fix Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke then copy your mailserver domain and test it here SSL Checker if you get any errors there report back here
2/ We still want to use mail.xxx.com because this is the best option if we want to change later our mail server.
So we did your fix again, we issued again the mail server ssl for mail.xxx.com
We test, we connect to our email, and when trying to send an email we are blocked by the pop-ups. Still the same problem.
The checking of ssl checker :
We check after the Check tls because we find that weird ssl checker say everything is fine, and on our side we have still the problem :
Follow this guide Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub
rm -f /etc/letsencrypt/live/mail.mydomain.com/privkey.pem && rm -f /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
does it may come from the dns settings ?
we know that the
maybe it come from that ? We didn’t think about it because the error seems more to be at the certificate level and not dns record.
Do you have an A record for mail.xxxx.com?
yes we set the A record for mail.xxx.com , this is fine propagated now, it point to the server ip of course
You are right. Exclude the DNS. Of course diabling tls on postfix is out of the question.
Let’s take matters into our own hands now. create a csr
cd /etc/postfix/ssl openssl req -nodes -newkey rsa:2048 -keyout mail.xxxx.com.key -out mail.xxx.com.csr
/etc/postfix/main.cf has our new certificate and keychain and run
service postfix reload
edit the /etc/postfix/ssl folder wasn’t exist so we create it by mkdir ssl
after all done, we still have the problem
nano /etc/postfix/main.cf || vi /etc/postfix/main.cf
do you see this:
smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
Yes we have exactly this settings
Post your entire
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
inet_protocols = all
mydestination = localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
hostname = mail.xxx.com
mynetworks = 127.0.0.0/8
message_size_limit = 30720000
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_cano>
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
inet_interfaces = all
smtp_tls_security_level = may
disable_vrfy_command = yes
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
Looks ok. Let me see another way to fix this
$ /root/.acme.sh/acme.sh --renew --force --ecc --domain mail.xxx.com $ cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.key /etc/letsencrypt/live/mail.xxx.com/privkey.pem $ cp /root/.acme.sh/mail.xxx.com/fullchain.cer /etc/letsencrypt/live/mail.xxx.com/fullchain.pem $ cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.cer /etc/letsencrypt/live/mail.xxx.com/cert.pem
/etc/postfix# /root/.acme.sh/acme.sh --renew --force --domain mail.xxx.com
[Tue 17 Jan 2023 11:32:10 AM UTC] The domain ‘mail.xxx.com’ seems to have a ECC cert already, please add ‘–ecc’ parameter if you want to use that cert.
[Tue 17 Jan 2023 11:32:10 AM UTC] Renew: ‘mail.xxx.com’
[Tue 17 Jan 2023 11:32:10 AM UTC] ‘mail.xxx.com’ is not an issued domain, skip.
/etc/postfix# cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.key /etc/letsencrypt/live/mail.xxx.com/privkey.pem
cp: cannot stat ‘/root/.acme.sh/mail.xxx.com/mail.xxx.com.key’: No such file or directory
I can see mail.xxx.com_ecc with key inside
I forgot its ECDSA certificate
Yes coz nothing was generated the first command failed