When I try to use POP3 with SSL, Gmail complains: "Certificate is self-signed"

[cmyden]

Hello,

I'm running DA 1.657.


I'm currently using Gmail to retrieve e-mails from my server using POP3

This works perfectly for retrieval...

username: [email protected]

POP server: 1.2.3.4

Port: 110


But now I want to make things more secure and use SSL.

So I tried the following:

username: [email protected]

POP server: 1.2.3.4

Port: 995

And add a checkmark beside 'Always use a secure connection (SSL) when retrieving mail.'


When Gmail tries to test this out it says:

Unable to establish secure SSL connection to 1.2.3.4
Server returned error: "SSL error: Leaf certificate is self-signed"


And if I run...

# openssl s_client -showcerts -connect 1.2.3.4:995


I do see:
Verify return code: 18 (self signed certificate)

At the bottom of the output.


directadmin.conf shows:

mail_sni=1


I'm just wondering if there is something I could look at to try and diagnose this problem.

Searching around for this issue on the DirectAdmin forums, everything I run across seems to be from many years ago.

Thank you

 

[Zhenyapan]

You need to generate SSL for your MX/SMTP server, at least letsencrypt.
If you are using domain.com added to your DA, by default it uses as MX/SMTP mail.domain.com
so you need to generate LetsEncrypt cert in DA for this domain + subdomain mail.domain.com

 

[cmyden]

Hi Zhenyapan,

Thanks for the reply.

Under User -> Domain Setup I have a checkmark beside:

Secure SSL

Force SSL with https redirect


Under Account Manager -> SSL Certificates

- Enable SSL

- Get automatic certificate from ACME Provider

Let's Encrypt

- Checkmark beside:

mail.domain.com
pop.domain.com
smtp.domain.com
www.domain.com
domain.com

- After clicking SAVE, the certificates are retrieved just fine.

(I've had certificates from Let's Encrypt for years)


- Then I run:

# openssl s_client -showcerts -connect mail.domain.com:995


- It still shows:

Verify return code: 18 (self signed certificate)
---
+OK Dovecot DA ready.

 

[Zhenyapan]

Did you check from browser ssl details is include all this subdomains?

 

[cmyden]

When I check the certificate for domain.com from the browser it shows:

[Subject Alternative Name]

DNS Name=*.domain.com
DNS Name=domain.com

Should it show all the subdomains here?

 

[Zhenyapan]

for wildcard asterisk * is ok

 

[cmyden]

I should also mention I'm using CloudFlare with full-strict, which I have for years.

 

[Zhenyapan]

That's why for most cases better to tell real domainname to check all from begining, than spend few days "talking about spherical horse in vacuum"
With cloudflare you must open your MX settings in any case, as SPF/DKIM/DMARC/rDNS because receiver/sender must check sender ip/email with this DNS records. or set own ssl from cloudflare/server side, or use cloudflare ssl etc. Check their recommendations.
But I prefer to use clean/regular open DNS mail info on one server, and website hidden by cloudflare on other website, so ddos to mail server will not touch real website server.

 

[cmyden]

What I've noticed:

1. I've read that directadmin.conf should contain:

enable_ssl_sni=1

ssl=1

letsencrypt=1


a) Mine doesn't contain an enable_ssl_sni entry at all.

b) Mine has ssl=0

c) I do have LetsEncrypt=1

You can enable SNI on your server which allows you to have SSL for multiple domains on one IP address.

What I've tried:
1. First I added enable_ssl_sni=1 to directadmin.conf manually.

I restarted directadmin and downloaded the ACME certificates.

2. Next I manually changed ssl=0 to ssl=1 and tried restarting directadmin.

This time directadmin failed to start.

# journalctl -xe

-- Unit directadmin.service has begun starting up.
Dec 15 13:07:55 www.domain.com kernel: Firewall: *TCP_IN Blocked* IN=eno1 OUT= MAC=blah SRC=94.102.61.23 DST=[My IP Address] LEN=44 TOS=0x00 PREC
Dec 15 13:07:55 www.domain.com directadmin[21973]: creating main HTTP server error=newServer failed to initialize TLS certificate cache: open /usr/local/directadmin/conf/cacert.pem:
Dec 15 13:07:55 www.domain.com systemd[1]: directadmin.service: main process exited, code=exited, status=1/FAILURE
Dec 15 13:07:55 www.domain.com systemd[1]: Failed to start DirectAdmin Web Control Panel.

I'm curious what this means...

Firewall: *TCP_IN Blocked* SRC=94.102.61.23 DST=[My Server's IP Address]

I don't recognize the 94.102.61.23 address. It seems to be owned by fiberxpress.net in the Netherlands.

Is this normal? An IP used by Let's Encrypt?


In CSF I have...

TCP_IN = 20,21,25,30,53,80,110,443,465,587,995,2222,3306,6006


Googling for "newServer failed to initialize TLS certificate" I only find a couple of results. One is this thread from 2021:

Upgrade to Directadmin 1.62 SSL carootcert not working

Upgrade to Directadmin 1.62 SSL carootcert not working

Since the upgrade to 1.62 DA won't accept the carootcert file and i get these errors (DirectAdmin won't start): The error is a little different: 'fatal creating main HTTP server error=newServer failed to initialize TLS certificate cache: open /usr/local/directadmin/conf/cabundle.pem: no such...

forum.directadmin.com

 

[Richard G]

Lets have a look.

1.) a.) That is good, because enable_ssl_sni=1 is deprecated and not used anymore. So you probably read this in an old thread instead of the docs.
It should however contain mail_sni=1 to have mail working correctly with SSL.

b.) The ssl=0 setting only means that you can visit Directadmin with http instead of https, is has no influence on e-mail.

c.) Letsencrypt=1 is good, should be present, but remember that also mail_sni=1 should be present. It might be present by default but not visible in Directadmin.conf.

Due to my answers, you can see that what you tried indeed does not have any effect.

I'm curious what this means...

As I read the log, somebody tried to login to your Directadmin (www.domain.com:2222) via https (since you changed ssl=0 to ssl=1) but it seems there is no certificate present so Directadmin fails to start with the ssl=1 setting. Change it back to ssl=0 and restart directadmin.

Then first generate an ssl certificate for your hostname, please have your own FQDN hostname, don't use ip.adre.s-da.direct as hostname, because then you won't have any control over it because that is owned by DA.

Is this normal? An IP used by Let's Encrypt?

Has nothing to do with Letsencrypt.
The 94.102.61.23 ip is from criminalip.com which do scans and login attempts to servers. As they say for "testing security" as more systems to. However, when thoroughly (hope I write that word correct) investigated, one will see that in fact it has Chinese owners.
They don't have to test systems without permission, I would suggest to block the complete criminalip.com range.

 

[cmyden]

Thanks Richard! Here's what I'm back to:

a) removed enable_ssl_sni

b) ssl=0

c) mail_sni=1 (I have always had this)

- Basically, I'm back to what I've always had in directadmin.conf

- Directadmin starts normally, as expected.

Then first generate an ssl certificate for your hostname, please have your own FQDN hostname, don't use ip.adre.s-da.direct as hostname, because then you won't have any control over it because that is owned by DA.

These are the Let's Encrypt certificate settings I've had for quite a while now. Renewing the certificates has always worked just fine...



So I have mail.domain.com as the hostname for example.

Pinging mail.domain.com returns my server's ip address (not Cloudflare).

With CloudFlare I've always had full-strict turned on, and everything has worked perfectly as far as website operation goes (port 80 and 443).

Here's my CloudFlare settings for the same domain:




When I execute:

openssl s_client -showcerts -connect mail.domain.com:995

I get:

SSL-Session:
Protocol : TLSv1.2

Verify return code: 18 (self signed certificate)

 

[cmyden]

When I try mail.domain.com at: https://www.checktls.com/TestReceiver

I get:

Certificate #1 of 3 (sent by MX):
Cert VALIDATED: ok
Cert Hostname VERIFIED (mail.domain.com = domain.com | DNS:mail.domain.com | DNSop.domain.com | DNS:smtp.domain.com | DNS:domain.com)

Not Valid Before: Dec 15 19:05:09 2023 GMT
Not Valid After: Mar 14 19:05:08 2024 GMT
subject: /CN=domain.com
issuer: /C=US/O=Let's Encrypt/CN=R3


Certificate #2 of 3 (sent by MX):
Cert VALIDATED: ok
Not Valid Before: Sep 4 00:00:00 2020 GMT
Not Valid After: Sep 15 16:00:00 2025 GMT
subject: /C=US/O=Let's Encrypt/CN=R3
issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1


Certificate #3 of 3 (added from CA Root Store):
Cert VALIDATED: ok
Not Valid Before: Jun 4 11:04:38 2015 GMT
Not Valid After: Jun 4 11:04:38 2035 GMT
subject: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1

 

[Richard G]

So I have mail.domain.com as the hostname for example.

Please never use mail.domain.com as a hostname if you indeed have this, this should be possible but mail is kind of a reserved name and will generate issues. Never use kind of reserved names for this, so no mail, www, ftp, imap, pop, smtp for example as hostname.
You have www as hostname. I would suggest to change this to something better.

You can use these or part of these instructions to fix it.
Once your hostname resolves again, you can create an SSL certificate for your hostname again too.

Sll for hostname still getting old hostname

Hi guys, i'm trying to install ssl for my server hostname, but the server refuse to recognize core.mydomain.com as hostname instead the letsencript show me as hostname the one that is setup when DA is installed server-xx-xx-xx-xx.da.direct. What i'm doing wrong? I already checked my hosts file...

forum.directadmin.com

Other problem:
There is no rDNS/PTR record present for your hostname. You have to fix this.
However, change your hostname first!

 

[cmyden]

Ok, thank you Richard. Sorry, I meant to say I have mail.domain.com set as a subdomain, *not* as the hostname.

My hostname is a completely different domain name. Although it does currently start with www, so I guess I should think about changing that?

My hostname is currently: www.primarydomain.com


When I think of my overall setup, I basically have 10 domain names that are all set up pretty much exactly the same way.

And then I have this primary domain that I think of as my server's overall domain.


When I was referring to my Certificate screenshot and the CloudFlare screenshot above, this was one of those 10 domain names (not the primary domain).

I always test things out on one of those domain names first, and then proceed slowly to change the other 9 domains once I'm sure everything is correct.


So I guess my steps should be:

1. I should change my hostname to something like: server.primarydomain.com

?


2. Now when it comes to setting up the first of my 10 domain names, I assume it's still a bad idea to have things setup the way I do now?

mail.domain.com

?

I should set up a new subdomain like...

postoffice.domain.com

?

And generate a certificate for that subdomain.

And add records to CloudFlare for that subdomain?


3. And then I need to look into a rDNS/PTR record for server.primarydomain.com

(Which I understand would be through the company hosting my server)

Thank you

 

[Richard G]

Ok, thank you Richard. Sorry, I meant to say I have mail.domain.com set as a subdomain, *not* as the hostname.

I understood that you didn't have it as a hostname, because you said example. I wouldn't use it as a subdomain either. Unless you know which customisations this requires to send mail correctly. Or unless you're mistaken and it's jut an A record like it should be.

My hostname is currently: www.primarydomain.com

Yes that's what I said, your hostname is www and that's not a good plan. If I'm not mistaken it's www.y...s.com but only missing the lw in the name. I know what real hostname is.

To answer your questions.

1.) preferably yes. I can have any name, doesn't need to be server, but try not to use common names like imap, mail, www and such. You can even use foobar.primarydomain.com or whatever.primarydomain.com you can choose one yourself.

2.) I don't quite understand this question. By default, all domains will have a mail.domain.com A record and the MX record will also point to that, so that is fine. No need to make changes there. Only the hostname as far as I could see needs change.
So since you don't need to changen things on domains themselfs, there is no need to change records or request new certificates for domains.

3.) Yes, once the hostname is changed also adjust the rDNS/PTR record so the ip points to server.primarydomain.com and indeed with the company hosting your server/vps.

4.) Once the hostname resolves, so nslookup ip.ad.ress.here resolves to server.primarydomain.com on the internet (probably around half an hour) then you can request a new SSL certificate for your hostname. I adjusted my manual and added the procedure for this.

5.) Once you have a certificate for your hostname, you can turn on ssl=1 in directadmin again and you should not have issues anymore visiting your directadmin with https in the future.

For any other issues you encounter, just report back here and I or somebody else will try to help. My PC will be active until 01.30 hours when I turn it off. EU Netherlands time, it's 00.19 here so I will be present for around 1-1,5 hours.

 

[Richard G]

Ohyes... as for point 3, the rDNS/PTR records, remember to do this for both your ipv4 and ipv6 which are used for the main server ip if you're also using ipv6.

 

[cmyden]

Ok, thank you very much, this is very helpful.

I always hate making changes like this for fear of breaking something, and want to proceed slowly and make sure I'm doing it correctly.

I will follow your guide for doing things through the command line. But is there a difference between that and doing things through the DA interface?

In Administrator Settings -> Server Settings I'll be doing this:




And then in Server Manager -> DNS Administration I currently have these 2 records:




1. I don't need to create a new DNS record on the server for server.primarydomain.com ?


2. I assume this [backwards ip address].in-addr.arpa record is my Reverse DNS record.

It currently looks like this:



a) I change record #3 to point to server.primarydomain.com


b) And then I should add one for IPV6

A record that looks something like this:

0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.f.7.2.0.0.2.ip6.arpa

(But using my own IP obviously)

According to: https://www.whatsmydns.net/reverse-dns-generator


c) And then I also need to contact the owner of my IP address and get them to add my rDNS/PTR records.



And then lastly, there's CloudFlare. This is what I currently have...



3. No new CloudFlare records or changes are required?


Thanks again for the help it is really appreciated.

 

[Richard G]

Oh lucky I went to sleep a lot later.

Oke first screenshot, very correct. You also will see that the namservers are still ns1.primarydomain.com and ns2.primarydomain.com if not this is correct anyway.

And then in Server Manager -> DNS Administration I currently have these 2 records:

Delete both. In Directadmin you don't set the rDNS/PTR, so you can loose the in-addr.arpa records.
The second is your www hostname, this is wrong so can also be deleted.

I'ts written in my manual to do it in DNS Administration. Not a DNS record, a complete DNS entry as if you would create a new domain. But not under a user account also not as admin in user level.

1. I don't need to create a new DNS record on the server for server.primarydomain.com ?

YES. In DNS Adminstration as admin in admin level. So there you enter server.primarydomain.com as new domain and your server ipv4 and then ns1.primarydomain.com and ns2.primarydomain.com and save.
Then you will have kind of the same as you now have for the same www record (which you will delete).
Then don't forget to via SSH in /etc/virtual create the server.primarydomain.com directory and chown it to mail:mail.

2. I assume this [backwards ip address].in-addr.arpa record is my Reverse DNS record.

Officially they are reverse dns records. But they won't work if you create them in Directadmin in this case, you need to set the ptr/rdns record at your server provider. So remove all those in-addr.arpa records, you don't need them.

c) And then I also need to contact the owner of my IP address and get them to add my rDNS/PTR records.

Correct, that is where the rDNS/PTR is made for both ipv4 and ipv6.

And then lastly, there's CloudFlare. This is what I currently have...

I don't use Cloudflare, so I don't know how this is working if you are using your own nameservers like ns1.primarydomain.com and ns2.primarydomain.com.
If you only use cloudlfare, there is probably not much you have to change. You need to add the server A record there maybe.
If you use cloudflare as external DNS, I would suggest for primarydomain to copy also the SPF and DKIM TXT records.
But as said, I don't use cloudflare, so if Cloudflare just works as external dns then it should be like I said.

Maybe @Zhenyapan or @jamgames2 work with cloudflare and can confirm or tell you which records you need additionally in Cloudflare.

I really have to go offline now it's 02.33 already.

 

[Ohm J]

About cloudflare, "server.hostname.com", must have record in the cloudflare. Because it need to resolve from outside. If can't, PTR/rDNS won't work.

 

[Zhenyapan]

all mail records must be visible - such mail rules, because if they hidden - how receiver can check them to be sure that email normal, not fake/spam/hack