Looks like Google made some changes in April 2020 that requires stricter TLS Authentication. Now getting this message when trying to "Send mail as" from an account setup in ISPConfig. (Also attached the actual image on this post) Code: The response was: TLS Negotiation failed, the certificate doesn't match the host. I went to setup the user again, which was setup on port 587 with my domain as SMTP server and my email as the username previous, but now when I try to save the setup I get Authentication failed. And the error is : Code: "TLS Negotiation failed, the certificate doesn't match the host., code: 0" Looks like it's VERY common problem on the internet with all Panels, like Plesk, Cpanel, etc all having issues. I'm surprised this hasn't come up here yet to be honest. I only found one link and it was in the priority forums, so was not able to reply. However, does anyone know a fix to this? When I try to add the user on the "send mail as" in google, the settings I use worked before, but not any longer, and they were : SMTP Server : mydomain.com User : [email protected] Password : mypassword ( which I know is correct as I changed it to make sure) Port : 587 (And also tried 465, which I did also open up in the firewall) Secure Connection Using : TLS (But I tried SSL also) What DOES work is using no encryption and port 25, but I don't want to do that. Can someone else give this a try with a email account setup in Ispconfig? I'm not sure how to fix, but I think it may be a common issue now. By the way I did setup the SSL cert for both ISPConfig and symlinked it to postfix. As I said, this worked previously for me using TLS on Port 587, but looks like Googles stricter policy needs domain to match domain on cert, which from everything I can see it does. I even tested on https://www.sslshopper.com/ssl-checker.html and domain matches the cert. I'm so lost.. Thanks so much.
Have you verified the certificate e-mail server uses is correct and has the needed domains? Try Internet Search Engines with Code: ssl testing mail server
Wow that search and test on the second link really clears things up a bit. Thanks SO much for the quick reply. Looks like I set my mx server to "mail.mydomain.com" and the SSL cert is at mydomain.com. Code: Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate This may help: What Is An Intermediate Certificate So email is encrypted but the recipient domain is not verified Cert Hostname DOES NOT VERIFY (mail.mydomain.com != mydomain.com | DNS:mydomain.com | DNS:server1.mydomain.com | DNS:www.mydomain.com) So email is encrypted but the host is not verified What would be the best way to resolve this? I think can think of 2, there's probably more, but which would work best? 1. I change my MX servers to just "mydomain.com" instead of "mail.mydomain.com" I assume I need to wait for DNS to propagate before I can test this properly. 2. Will adding a subdomain in ISPConfig for "mail.mydomain.com" work to add the "mail.mydomai.com" into the SSL Cert, so it can get verified correctly? Cuz I notice the other subdomains I create, get added to the CERT, but not sure if it'll verify correctly for Google. Thanks again for you quick help Taleman, just trying to get the best method to resolve this, hopefully this will help others in the future too.
Yes, that should be ok. That's probably because the hostname is in the SSL cert when using the guides that we provide to setup LE certs for the mail service and as the MX of a domain should point to the hostname of the mail server, the setup is safe from this Gmail issue. https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
Thanks Till, that is the actual guide I used to setup the SSL, but I didn't create a website for the FQDN, I just used the cert from the main domain(mydomain.com) instead of (server1.mydomain.com). Maybe I should go through that again and set it up correctly. So if I'm understanding correctly though, according to the guide, the email MX server should actually be setup as the my FQDN, or in otherwords what I have setup as hostname -f ? So would be "server1.mydomain.com" as the MX record? Cuz it seems I only solved the second part of the above error. After I added "mail.mydomain.com" to the cert, it no longer has the bottom half where it says "Cert Hostname DOES NOT VERIFY", but I still have the issue above : Code: Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate This may help: What Is An Intermediate Certificate So email is encrypted but the recipient domain is not verified I'm going to go through the guide again and setup the hostname correctly, I might as well change my MX servers to my FQDN as well, and have it as server1.mydomain.com instead of mail.mydomain.com
