Email problems to connect or login

Correct me if i'm wrong but it is not suppose that the reverse DNS entry should return FQDN?, because the mane of mi server is Server1.Hospedaje....

We use mail.hospedaje.... , and we do not have any load balancing, is pretty simple how we have it, for the POP/IMAP Daemon we use Dovecot, for the mailfilter syntax sieve, for the content filter Rspamd and for the maildir format Maildir.

 

When your mailserver tells other servers it's called "mail.domain.tld" the rdns record for that IP should report back exactly that name and not something else.

 

So what should really said on the revers DNS is "mail.hospexx.xxxxx" i'm correct?

 

I not sure to be honest. I guess you just need a valid rdns, but thats what i'm doing for the last 10 years.

However back to the main problem. Do these login problems occure when you attempt auth from localhost?
Can you test the authentification from localhost with nc or something and test it with doveadm-auth?

 

Yes it's for all mailboxes, and in some test i set a new password and its the same.

 

I check with the following command:

Code:

doveadm auth test [email protected]

and i get a passdb auth succeeded

But doing a test with a machine with outlook, while i was setting the new password of an email account i get a error of the certificate, it might be that?

 

You should investigate that certificate error. What did the error say? Is it the wrong hostname or is the certificate expired?

 

The message said that the server at the one that you are connected is using a security certificate that cannot be check.

The name of the security entity of destination is incorrect.

And ask you if you want continue using that server

The thing is that the certificate is issued by Sectigo RSA and expires on 8/15/23

 

And the certificate is for "mail1.domain.tld"?
The name you enter as the server name in the mail client must be identical to the one on the certificate

 

The certificate i had it was a Wildcard, but it is a paid certificate and every time it get renewed, it work for me to change it in every place. so searching yesterday i found this tutorial from @Th0m :

https://forum.howtoforge.com/thread...d-lets-encrypt-ssl-certificate-certbot.86372/

I will check on monday if those machines keep having the message of the certificated. But now i've got a specific certificate for mail.mydomain.ltd

 

Ok after checking we still has the Certificate error but now said that the certificates is SMTP.hospedaje.xxx, and when i check the certificate mail.hospedaje.xxx in https://www.sslshopper.com/, the common name appear as smtp.hospedaje.xxx, but i already checked 3 times the tutorial and is exactly like it. I don't know where it might be wrong.

As a comment, i've did uncheck the SSL box for the site mail.hospedaje.xxx, erase the certificate from the live folder, and check it again in the site so the system create the certificate again, but i've get the same result

 

Check the certificate under /etc/postfix/smtpd.cert. This is a symlink to /usr/local/ispconfig/interface/ssl/ispserver.crt by default. You can check it from the shell with:

Code:

openssl x509 -text -noout -in /etc/postfix/smtpd.cert

What is the name in the " Subject: CN =" line? Is it correct?

 

Reading my previous post i wasn't as clear as i should be, Sorry for that.

I followed the tutorial from @Th0m (The one i put in my message, #31), and the symlink is not to /usr/local/ispconfig/interface/ssl/ispserver.crt anymore, now is to /etc/letsencrypt/live/mail.hospedaje.xxx, but according to that tutorial what i should get in the CN is mail.hospedaje.xxx, but im getting smtp.hospedaje.xxx

Code:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:

        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jan 28 06:18:12 2023 GMT
            Not After : Apr 28 06:18:11 2023 GMT
        Subject: CN = smtp.hospedaje.xxx

....

 Subject Alternative Name:
                DNS:imap.hospedaje.xxx, DNS:mail.hospedaje.xxx, DNS:pop3.hospedaje.xxx, DNS:smtp.hospedaje.xxx

As you can see i'm not having the right certificate name for the server name we use in the mail client (mail.hospedaje.xxx). That is what i tried to said in my message #32.

 

Hi @Th0m i have a doubt about this, if i had severals certs for the same domain but the ends with 001, 002, 003, wich one is the good one?, and what will happen with the symlink?, because is pointing to the one on the folder that doesn't has any numbers.

Also, if i erase the alias domains, ISPConfig it erase the certs folders? i mean the ones that should be on the /etc/letsencrypt/live route.

I'm asking these things because on wednesday i was having an error to get a new cert from Letsencrypt, and before check the Log (my mistake), i see all those folders and erased it (what a dumb thing from me). Thankfully i had a backup from the first cert i get the day i follow the tutorial and i was able to restore it, but till today at night i will be able to get a new cert and create the alias domains to get linked to that cert.


One thing i learned from letsencrypt (between a lot of other things), is that doesn't allow to create more than 5 certs for the same domain in a short period of time, and you has to wait more than 3 days to get a new one.