The domain name of at least one of your mail servers does not match the domain name

Awd

Verified User
Joined
Aug 9, 2015
Messages
316
Hi,

I have a server with multiple domains. Checking email I get this message:
The domain name of at least one of your mail servers does not match the domain name on the mail server certificate.

Servername: server.domain.com
example domain: hellothere.com

I found (maybe) this solution: https://www.directadmin.com/features.php?id=2019

Is that the solution? Only for new domains or also existing domain/ssl?
Or am i wrong and is there something else I can do?

Kind regards,
Fred
 
Hello,

Yes, mail_sni might be a solution for your case. Please feel free to try it and let us know your results.
 
Hi Alex,

Thank you for your answer. Just to be sure (it is a online server with many domains) if I try it and it goes wrong, how can I reverse it?
By setting mail-sni back to zero (0) in directadmin.conf and then rebuild exim and dovecot?

Kind regards, Fred
 
Fred,

Well, I hardly can even guess what can go wrong. The only two possible issue might occur:

- outdated dovecot which won't start with new configs. If this is the case you will need to rebuild dovecot.
- outdated exim which won't start with exim.conf 4.5. If this is the case you will need to rebuild exim.

In any of these cases you won't roll back by setting mail_sni to 0, and you will still need to rebuild exim/dovecot.

There is nothing else that comes to my mind.
 
Alex,

I did the necessary steps, in ssl let´s encrypt I can select now all other domains, but not the server hostname (server.domain.com).
Any idea? Can I add it manually somewhere?

Kind regards, Fred
 
For a cert for hostname you should run a shell command as root:

Code:
/usr/local/directadmin/scripts/letsencrypt.sh request $(hostname)
 
Yes I know. The server hostname has a ssl certificate. The "problem" is that when testing I get a message:
Unmatched domains on certificate (it is not a big thing, but just wondering if there is an easy fix.
See this testresult: https://internet.nl/mail/trailfun.nl/51130/
 
Last edited:
yes i did.

It seems that it does not add all domains, only user domain related.
 
What do you see when run:

Code:
grep ^tls_ /etc/exim.variables.conf
?

Code:
cat /etc/virtual/snidomains
?

Code:
ls -la /etc/dovecot/conf/sni/
?
 
Code:
[root@server ~]# grep ^tls_ /etc/exim.variables.conf
tls_certificate=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}}{/etc/exim.cert}}}{/etc/exim.cert}}
tls_privatekey=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}}{/etc/exim.key}}}{/etc/exim.key}}
tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
[root@server ~]#

with the two other codes I see all domains of on the server listed (www and conf.)
 
Sorry no difference at all, restarted and rebuilt both.
 
OK, you might need to reissue your certs to include mail. subdomain, i.e. you need a cert for a name of your MX record.
 
Okay, but I can´t select the name of the mailserver on user or reseller domains and for the (admin) server domain (server.domain.com) I can´t select the name of the mailserver (each domain has different mail server name, mail.domain.com, mail.domain1.com etc..
So when I reissue a certificate it will be the same. I did one for testing, but no difference.

Kind regards, Fred
 
Maybe I don´t understand it, but I did create a cert with www. and mail. The problem is that it keeps showing a message that there is an unmatched domain: See this example: In this example the mail is from mail.domain.com. The server hostname is server.domain.nl

Technical details:
Code:
Mail server (MX)	Unmatched domains on certificate

mail.domain.com.	server.domain.nl
…	                ['ftp.server.domain.nl', 'mail.server.domain.nl', 'pop.server.domain.nl', 'server.domain.nl', 'smtp.server.domain.nl', 'www.server.domain.nl']

Sorry that I can explain it better.

Kind regards, Fred
 
Fred,

The cert for [FONT=&quot]trail**fun.nl:

[/FONT]
- Common name: trail**fun.nl
- SANs: trail**fun.nl, www.trail**fun.nl
- Valid from November 3, 2017 to February 1, 2018
- Serial Number: 031b928b75bd*****e6aba634a2f917ec6f8
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: Let's Encrypt Authority X3


and it's missing mail.trail**fun.nl.

You need to reissue the cert with mail.trail**fun.nl.
 
Hi Alex,

I did, but there is no difference. The problem seems that the mailserver is picking the SSL from the hostname (server.domain.com) and this SSL has only cert. for hostname (mail.server.doman.nl, ftp.server.domain.nl, etc).

Code:
Mail server (MX)	Unmatched domains on certificate

mail.domain.com.	server.domain.nl
…	                ['ftp.server.domain.nl', 'mail.server.domain.nl', 'pop.server.domain.nl', 'server.domain.nl', 'smtp.server.domain.nl', 'www.server.domain.nl']

Kind regards, Fred
 
Back
Top