mail.domain.com not using right certificate

justinkruit

justinkruit

Verified User
Joined
Nov 3, 2019
Messages
10
Hello,

I've been looking through a lot of posts now, but haven't been able to find the fix yet. mail.domain.com is using the certificate of server.hosting.com. I've seen that mail_sni should fix this, but I've already got it enabled, and ran the setup for it too just in case. I'm using Let's Encrypt to make my certificates. Also all the right info is in the dovecot config file.

Is there something that I can do to fix this? I would prefer it if my customers could just use their own domain name as server address in their mail.
 
Hi Justin,

I have been messing this for ages as well. I have resolved most of my issues. Just some webmail.domain.tld's and some mail.domain.tld's that keep insisting on the server certificate.
But I believe that's mainly a conf/template file mixup and/or my knowledge lacking.

In your case I believe it can help to read https://directadmin.com/features.php?id=1100
 
Hi,

I am getting the same issue if I check the email with the following tool I get a certificate error.

https://ssl-tools.net/mailservers

Mail is using host certificate instead user certificate.
How do we fix this?

Thanks
 
I am getting this using these commands:

>openssl s_client -showcerts -connect mail.domain.com:465

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = host.domain.com
verify return:1


>openssl s_client -showcerts -servername domain.com -connect domain.com:465
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain.com
verify return:1

Any ideas why mail.domain.com in not using user certificate ?
Thanks
 
You already checked enable_ssl_sni=1 in directadmin.conf? And if most are fine, the specific domain has the "mail" checked for ssl use?
 
Ah yeah, that's correct, I always confuse enable_ssl_sni with mail_sni=1 or is that also enabled by default nowadays?
 
Thank you Marius. But this one has to be present in diretadmin.conf I read, because it says line will be placed in directadmin.conf but the internal default will still be 0.
So this one still needs to be checked if that line is present.
 
Same issue here. The mail.domain always serves the server certificate when visiting it via the browser When using https://mail.domain:2222 , DA correctly serves up the page with the correct SSL cert. enable_ssl_sni and mail_sni is enabled. The thing here is that there is no cert for the root domain, since it's not pointing to our server. But I'm not seeing how that woud be an issue. The root domain is the primary domain though, because they use it to manage the DNS.
 
vincentjanv said:
Same issue here. The mail.domain always serves the server certificate when visiting it via the browser When using https://mail.domain:2222 , DA correctly serves up the page with the correct SSL cert. enable_ssl_sni and mail_sni is enabled. The thing here is that there is no cert for the root domain, since it's not pointing to our server. But I'm not seeing how that woud be an issue. The root domain is the primary domain though, because they use it to manage the DNS.
Click to expand...
If you want to host a website https://mail.domain - you should create it in DA. If you do not want to host a website under this domain, you don't need a cert for HTTPs, because email clients will use IMAPs/POP3s and SMTPs. HTTPs is not a mail protocol, thus testing https://mail.domain is useless.

 
crenet said:
Hi,

I am getting the same issue if I check the email with the following tool I get a certificate error.

https://ssl-tools.net/mailservers

Mail is using host certificate instead user certificate.
How do we fix this?

Thanks
Click to expand...
IN MX record for the domain you could put that hostname as mailserver while it is mailserver and set all other settings acording also.

That is the solution as it is and long time was, al other are some kind of virtual things as you know you have only one mailserver right?

But ok you can have mail per domain and settings and certs for that, reverse dns is( should) however if no extra ip's always that one mailserver / or hostname resolving
 
Last edited:
ikkeben said:
IN MX record for the domain you could put that hostname as mailserver while it is mailserver and set all other settings acoding also.
Click to expand...
We also use mail.domain.com for every domain since we use DA, not the hostname and that works perfectly, without needing seperate ip's or rDNS for it. Since SSL is on our systems, it also works with ssl.

However, does ssl-tools.net look correctly?

*.mydomain.nl
  • -55 days remaining
while DA and sslcheck say it's good until february 2021. So that's odd anyway.

But it's like smtalk says, mail uses ssl, not https.
 
An advantage of using mail.domain.com over the hostname is that your customers don't have to change their mail client settings each time you migrate an account from one server to another.
 
You must log in or register to reply here.
Back
Top