Apple device mail warns with for trust to mailserver LE SSL cert

C

cDGo

Verified User
Joined
Sep 21, 2012
Messages
84
Hi,

We got one user who get's his email on a mac-like device (iPad or Mac).
When connecting to his mail server he gets a warning about the certificate.
It shows that the certificate is from the server hostname, and not the one of the user.
On other non Apple devices it doesn't give this warning.

What could be wrong?
 
- Do you use Let's Encrypt for hostname?
- Do you use "mail_sni"?
- Is the user connecting to mail.*hisdomain.test*?
- Does the user have a valid mail.* certificate?
 
Hi,

LE SSL for hostname server => yes
LE SSL for hostname user => yes
LE SSL for users mail => yes
LE SSL for users smtp => yes
User is connecting to mail.hisdomain.tld

Part of da.conf:
SSL=1
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
letsencrypt=1
enable_ssl_sni=1
carootcert=/usr/local/directadmin/conf/carootcert.pem
force_hostname=subdomain.hostname.tld
ssl_redirect_host=subdomain.hostname.tld

mail_sni:
I've found this link: https://www.directadmin.com/features.php?id=2019
But I'm not sure if I can install it safely without breaking other email functionality.
 
Last edited:
Hello,

You should enable mail SNI in directadmin and install individual certs with mail. subdomain included.
 
Hi,

I enabled mail_sni, but can´t select the mail.serverhostname. It is not in the list, only the (other)domains who are under this user created. Is this correct or do I understand it wrong?

I read it as follow, enable
mail.domain.com
pop.domain.com
smtp.domain.com
mail.serverhostname.com (but this one is not in the list).

Best regards,
Laura
 
An user can select only domain which he/she owns (i.e. added under an user account).

The server wide cert with names based on serverhostname should be installed from root console.
 
Yes, I am aware of that.
I have enable mail SNI in directadmin and install individual certs with mail.domain.com included.

But when you said "and install individual certs with mail. subdomain included" I thought you meant that the server hostname (n the example above mail.subdomain) also could be selected.

The "problem" is when checking the certificate I get this warning:
Outgoing mail certificate name mismatches.

Technical details:
Mail server (MX): mail.domain.com.

Unmatched domains on certificate
server.hostname.com
… ['ftp.server.hostname.com', 'mail.server.hostname.com', 'pop.server.hostname.com', 'server.hostname.com', 'smtp.server.hostname.com', 'www.server.hostname.com']

Is there anyway to avoid this?
 
Last edited:
Where and how do you get "Outgoing mail certificate name mismatches."? More details please.
 
That error code is from the https://internet.nl email test. Maybe they don't test for SNI settings? I have the same result there with mail_sni enabled, but it is working perfectly so I think you can ignore that.
 
Are you the three persons facing the same issues, or you have multiple accounts here? :D

The suggested site DOES NOT support mail SNI, I've tested it with my domain:

https://internet.nl/mail/poralix.com/116955/ (the domain is configured to use individual IP, probably that's why a valid cert was detected)

so they CAN NOT detect a valid cert in SMTP when mail SNI is used.
 
Last edited:
Are you the three persons facing the same issues, or you have multiple accounts here?
Click to expand...

I see it's getting confusing now with two people / problems in the same thread :p And no I am not one of them;), I just recognized the error code from post #7 because I used that service yesterday.
 
Last edited:
The fact that you installed and/or enabled mail sni does not mean you will have no issues with SSL certs for existing domains. You need to create certs... so here are possible reasons:

- mail sni is not installed for 100%
- a missing cert
- outdated software: openssl, exim, etc.

Check your installation per this help article: https://www.directadmin.com/features.php?id=2019
 
Thank you for your answer.
I was pretty sure that I installed everything as should. To be 100% sure I repeated all steps, but unfortenattely with same result:
Unmatched domains on certificate
 
Kindly provide as more details as possible here, including outputs of shell commands from the guide or hire somebody to investigate and fix it for you, I don't know what else can be suggested here.
 
I see the same warning with email mismatch on every DA server of mine. Any chance you could check another email on different server of yours?
 
I've corrected my post #10, the service does not support mail SNI at the moment, so it's not reliable for using.
 
You must log in or register to reply here.
Back
Top