SSL warning when adding mail account

florius

Verified User
Joined
Jul 17, 2018
Messages
5
Hi,

I'm currently using Let's Encrypt certificate, (not that it should matter in this case I think).
When adding a new mail account to my Thunderbird I get the warning that the hostname doesn't match the SSL certificate.

This makes sense, the SSL certificate is on the hostname, internal-01.example.com.
However when adding a mail account you use a domain such as mail.example.com.
But I get the same error when adding an account for mail.exampleotherdomain.com doesn't match internal-01.example.com.

This seems rather wrong, is there any way to solve the warning message so Exim/Dovecot does it correctly?

Thanks.
 
You say you are using Let's Encrypt SSL certificates.
Did you also enabled "mail_sni=1" in directadmin.conf and also created an ssl certificate for mail.exampleotherdomain.com?

Still in some cases the notice might still appear, because mail.xxxxx.com is no hostname in fact. I might have a test later on this, I only have Thunderbird on another computer.

You can check if things are in good order here:
https://www.sslshopper.com/ssl-checker.html

Be aware! For a good check for the mail SSL you need to use the portnumber too, for example, do NOT use mail.exampledomain.com but use mail.example.com:465 (or 587 depending on what you use) to do the check.
 
Hi Richard G, thanks for helping me out.

I didn't have a certificate, I have now and it works,

However I have another customer with 200+ accounts, and all his clients get the same message.
Would the only way to fix this be getting a Let's Encrypt SSL on all mail.example.com domains?
That's a hell of a lot of work...

No 'easier' fix?

Thank you.
 
Nowadays there is a wildcard option.
I presume there is an easier way, but I don't know how.

Did your customer with the 200+accounts already have an SSL certificate for all his domains? If not then maybe something like this might be of help:
https://help.directadmin.com/item.php?id=675

If he already has, there might be some other method like an SSH commandlinen option for it, but I'm not sure about that.
Hopefully SMTalk or zEitEr can answer that for you. Or you could also send in a ticket for that question and share the solution here later.
 
Back
Top