Gmail TLS negotiation failed error

mathgeek

Verified User
Joined
Feb 4, 2020
Messages
8
Hi

It's possible that this question has been asked before, but I couldn't find it by Googling the problem and adding Direct Admin at the end of my search query.

So, previously I could set up email addresses on my server in gmail without any issue. I used Port 587 using TLS for sending emails and Port 995 for receiving emails with SSL on as explained here on this DA help page. Nowadays Google throws an error saying that Server returned error: "TLS Negotiation failed, the certificate doesn't match the host., code: 0". People on the internet say that this is a recent issue and it is because Google is using stricter security measures for certificate verification.

Is it possible to do something to make my server work with gmail as expected? I'm using a Cent OS 7.5 VPS with Direct Admin version 1.61.0 installed on it.

Edit: I think I have realized what is causing the problem. I use mail.clientdomain.com to set up my email accounts on gmail, but when I go to https://mail.clientdomain.com in a browser like Chrome or Firefox, it points to an SSL certificate for server.serverdomain.com (which is my hostname and the value of servername in my directadmin.conf). So, the question is: How can I set up exim and dovecot to use the correct SSL certificates for each user? Is that even possible?
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,004
Location
Maastricht
To begin with, I have the same going to https://mail.clientdomain.com but seems normal to me as this is not a subdomain or http website but only used for mail. I could be wrong though. ;)
But in my case I also get the same screen and not a good locker.

I don't know what you have done so far, but you can use this after you installed letsencrypt by ./build letsencrypt in the custombuild dir:

Then you also have to check that your directadmin.conf contains
letsencrypt=1
ssl=1
mail_sni=1
enable_ssl_sni=1
do not forget to restart directadmin after having the changes made.

If done, check that you have created certificates for mail and pop and smtp too or if you run your own nameservers use a wildcard certificate.

If still not working try this:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build exim
./build exim_conf
./build dovecot
./build dovecot_conf[/code
and try again.

I don't have any issues with users sending mail to gMail with the DA setup and using mail.clientdomain.com for outgoing mail.
 

mathgeek

Verified User
Joined
Feb 4, 2020
Messages
8
To begin with, I have the same going to https://mail.clientdomain.com but seems normal to me as this is not a subdomain or http website but only used for mail. I could be wrong though. ;)
But in my case I also get the same screen and not a good locker.

I don't know what you have done so far, but you can use this after you installed letsencrypt by ./build letsencrypt in the custombuild dir:

Then you also have to check that your directadmin.conf contains
letsencrypt=1
ssl=1
mail_sni=1
enable_ssl_sni=1
do not forget to restart directadmin after having the changes made.

If done, check that you have created certificates for mail and pop and smtp too or if you run your own nameservers use a wildcard certificate.

If still not working try this:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build exim
./build exim_conf
./build dovecot
./build dovecot_conf[/code
and try again.

I don't have any issues with users sending mail to gMail with the DA setup and using mail.clientdomain.com for outgoing mail.
Thanks, Richard. It worked. I had to rebuild dovcot and exim I guess. But there's still an issue:

I had done everything like you said (building SSL certificates for all subdomains using letsencrypt) except that I hadn't rebuilt exim and dovecot.

So, now I'm thinking that if the SSL certificates expire and get renewed automatically, will I have to rebuild dovecot and exim? Well, probably not since they will be replaced at the same address as before, but what if a user adds a new SSL certificate? I mean a user that didn't have SSL certificates previously. Will I need to rebuild dovecot and exim then? Because users can't do that on their own obviously.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
5,004
Location
Maastricht
So, now I'm thinking that if the SSL certificates expire and get renewed automatically, will I have to rebuild dovecot and exim?
Normally not. Mostly in the beginning when LS is installed it needs to be done. After that if all settings are correct (which they seem to be now), new domains are automatically processed. Als updates are no issues anymore so you normally do not have to build them again.

Same for your question, if the user changes or adds ssl, it's all done automatically and processed by Exim and Dovecot as far as needed.
 
Top