TLS Library problem alert 42 - domain name does not match the server certificate - cyberpanel

EcomNextGen · January 16, 2023, 4:36pm

On OVH we have a tab where we can add what they call “Secondary DNS”

Screenshot by Lightshot translation :

Add a domain

Add a secondary DNS to your dedicated server :

IP
…

Domain
…

Is that rDNS ptr ?

josephgodwinke · January 16, 2023, 5:56pm

This is service provider specific kindly check their tutorial https://support.us.ovhcloud.com/hc/en-us/articles/360002181530-How-to-Configure-Reverse-DNS

EcomNextGen · January 17, 2023, 9:33am

Thanks,

So we edit the reverse DNS and we put mail.xxx.com

We can only edit the IPv4 Reverse DNS and not the IPv6, there is no option to edit.

This reverse DNS will not put any problem in the future for our other wordpress site that run on the same server ?

We will install more mailbox after for other domain so mail.xxx.com is the first install , but there will be mail.xxx2.com mail.xxx3.com and mail.xxx4.com

We actually think that put the reverse dns to mail.xxx.com will maybe make us not possible to install correctly the futur mailbox for other wordpress site.

Testing :

So we did a test after editing the reverse DNS to mail.xxx.com,
The A Dns was fully propagated already, and like it’s explained we understand that the reverse DNS is instantly propagated after the setting in place.

We still have the same error :
Jan 17 09:28:07 localhost postfix/submission/smtpd[727258]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 42:

Thunderbird pop-up say :
This site tries to identify itself with invalid information.

Wrong site

The certificate belongs to a different site, which could indicate that someone is trying to impersonate this site.

Unknown identity

The certificate is not secure because it is impossible to verify that it was issued by a trusted authority using a secure signature.

(still same problem)

After this Pop up I can only quit, then a secondary pop up appear, this one say :

Sending the message failed.
The certificate is not secure because it is self-signed.
The configuration linked to mail.hecten.com must be corrected.

josephgodwinke · January 17, 2023, 9:41am

No the rDNS is for the mailserver, not to serve your websites

Apply this fix Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke then copy your mailserver domain and test it here SSL Checker if you get any errors there report back here

EcomNextGen · January 17, 2023, 10:27am

1/ We test with the domain name xxx.com instead of mail.xxx.com and it works, no any problem.

2/ We still want to use mail.xxx.com because this is the best option if we want to change later our mail server.

So we did your fix again, we issued again the mail server ssl for mail.xxx.com
We test, we connect to our email, and when trying to send an email we are blocked by the pop-ups. Still the same problem.

The checking of ssl checker :

We check after the Check tls because we find that weird ssl checker say everything is fine, and on our side we have still the problem :

josephgodwinke · January 17, 2023, 10:31am

Follow this guide Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub

instead of mydomain.com use mail.mydomain.com e.g.

rm -f /etc/letsencrypt/live/mail.mydomain.com/privkey.pem && rm -f /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem

Skip this part Self Signed SSL Issue · josephgodwinkimani/cyberpanel Wiki · GitHub and do Cannot Send Emails As via Gmail - SSL Certificate Mismatch - #4 by josephgodwinke

EcomNextGen · January 17, 2023, 10:47am

we delete the file in mail.xxx.com and issue mail server ssl again for mail.xxx.com and we still have the same problem,

does it may come from the dns settings ?

we know that the
default._domainkey.
_domainkey.
_dmarc.

are all set on xxx.com and not for mail.xxx.com

maybe it come from that ? We didn’t think about it because the error seems more to be at the certificate level and not dns record.

Thanks

josephgodwinke · January 17, 2023, 10:48am

Do you have an A record for mail.xxxx.com?

EcomNextGen · January 17, 2023, 10:50am

yes we set the A record for mail.xxx.com , this is fine propagated now, it point to the server ip of course

josephgodwinke · January 17, 2023, 10:56am

You are right. Exclude the DNS. Of course diabling tls on postfix is out of the question.

Let’s take matters into our own hands now. create a csr

cd /etc/postfix/ssl
openssl req -nodes -newkey rsa:2048 -keyout mail.xxxx.com.key -out mail.xxx.com.csr

Confirm /etc/postfix/main.cf has our new certificate and keychain and run service postfix reload

EcomNextGen · January 17, 2023, 11:04am

Done,
edit the /etc/postfix/ssl folder wasn’t exist so we create it by mkdir ssl

after all done, we still have the problem

josephgodwinke · January 17, 2023, 11:08am

nano /etc/postfix/main.cf || vi /etc/postfix/main.cf

do you see this:

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

EcomNextGen · January 17, 2023, 11:10am

Yes we have exactly this settings

josephgodwinke · January 17, 2023, 11:11am

Post your entire /etc/postfix/main.cf here

EcomNextGen · January 17, 2023, 11:14am

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
inet_protocols = all
mydestination = localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

hostname = mail.xxx.com
mynetworks = 127.0.0.0/8
message_size_limit = 30720000
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_cano>
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
inet_interfaces = all
smtp_tls_security_level = may
disable_vrfy_command = yes
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

josephgodwinke · January 17, 2023, 11:20am

Looks ok. Let me see another way to fix this

josephgodwinke · January 17, 2023, 11:29am

$ /root/.acme.sh/acme.sh --renew --force --ecc --domain mail.xxx.com
$ cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.key /etc/letsencrypt/live/mail.xxx.com/privkey.pem
$ cp /root/.acme.sh/mail.xxx.com/fullchain.cer /etc/letsencrypt/live/mail.xxx.com/fullchain.pem
$ cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.cer /etc/letsencrypt/live/mail.xxx.com/cert.pem

EcomNextGen · January 17, 2023, 11:34am

/etc/postfix# /root/.acme.sh/acme.sh --renew --force --domain mail.xxx.com
[Tue 17 Jan 2023 11:32:10 AM UTC] The domain ‘mail.xxx.com’ seems to have a ECC cert already, please add ‘–ecc’ parameter if you want to use that cert.
[Tue 17 Jan 2023 11:32:10 AM UTC] Renew: ‘mail.xxx.com’
[Tue 17 Jan 2023 11:32:10 AM UTC] ‘mail.xxx.com’ is not an issued domain, skip.

/etc/postfix# cp /root/.acme.sh/mail.xxx.com/mail.xxx.com.key /etc/letsencrypt/live/mail.xxx.com/privkey.pem
cp: cannot stat ‘/root/.acme.sh/mail.xxx.com/mail.xxx.com.key’: No such file or directory

/.acme.sh# ls
I can see mail.xxx.com_ecc with key inside

josephgodwinke · January 17, 2023, 11:37am

I forgot its ECDSA certificate

Yes coz nothing was generated the first command failed

EcomNextGen · January 17, 2023, 11:45am

Just to add this remark,

From this post TLS Library problem alert 42 - domain name does not match the server certificate - cyberpanel - #14 by EcomNextGen

I test again with the imap settings on xxx.com instead of mail.xxx.com
and same for smtp.

This is not working too on xxx.com now, before it was working, now not anymore, maybe some change made before are responsible of this,

Just to inform you in case it can help