Skip to main content

IMAP/POP SSL Failed SNI

Comments

26 comments

  • LoadFactor
    We're experiencing the same issue.
    0
  • grindlay
    Same here
    0
  • grindlay
    0
  • ispweb
    0
  • Raymond Hayes
    This is not working for me. All mail connections are identifying as the main server SSL, and SNI is not working. I have tried to rebuild after switching to Comodo...I even removed and let autossl regenerate, and still getting errors for mail connections.
    0
  • grindlay
    As @ispweb mentions, you can also workaround by adding domains manually to your /etc/dovecot/sni.conf
    file and restart Dovecot. Keep a backup cos atm, running the /scripts/build_mail_sni --rebuild_dovecot_sni_conf
    script will remove them.
    0
  • Raymond Hayes
    UGH...ok...that doesn't help with thousands of accounts...oh man. What a massive mess.
    0
  • LoadFactor
    Switched to the cPanel certs for the moment but more often than not cPanel is responding with The "cPanel (powered by Sectigo)" provider cannot currently accept incoming requests. The system will try again later. So not exactly a fix.
    0
  • Misiek
    Does the hotfix mentioned in thread fix the issue?
    0
  • grindlay
    Looks like the patch released this morning adds all your domains to /etc/dovecot/sni.conf This works okay, assuming you have valid certs for each of the domains.
    0
  • Misiek
    Not fully my clients still have problems that outlook reports cannot establish secure connection
    0
  • grindlay
    An additional problem is that LetsEncrypt is rate-limited to 50 certificate validations per domain per week. So if you have been running AutoSSL a lot, in an attempt to get your certs to validate, you may well hit the limit. I'm stuck with a number of invalid certs which I can't renew because "MASTER DCV: A rate limit prevents DCV."
    0
  • Misiek
    Yes same problem for me and new problem is client using mail.domain.com ssl connection to send email now revcieve error that domain certificate do not fit to server certificate, any ideas ??
    0
  • grindlay
    A temporary workaround, if your certificate is waiting to revalidate, is to get the mail client to connect to the FQDN of the server. I have one domain that is firmly stuck because of rate limiting, so I got them to connect to ds.myserver.com (insert your FQDN). Because Dovecot is presenting the server cert, the mail client accepts it. Of course you'd need to change it back when your domain cert validates. Probably easier just to create an exception in the mail client for the server's cert. That way, when the domain cert validates, the client should automatically switch over.
    0
  • Misiek
    That is not a solution, try to explain hundreds of clients to change their SMTP configuration and this is also not the issue. The problem is not with dovecot only with smtp.
    0
  • grindlay
    Indeed. Perhaps explaining that if their mail client raises an exception, they can click through and accept it, just so they can keep working until DV completes. They shouldn't notice when the exception is no longer required, at least that's my understanding of how mail clients work.
    0
  • StevenC99
    When making an SMTP connection to Exim, the client specifies via SNI which certificate they are expecting. According to the /etc/exim.conf setting "tls_certificate =" the SMTP server hostname (from SNI) is looked up in /var/cpanel/ssl/domain_tls/ If there should be a folder e.g. "mail.example.com" it should contain a file called "combined" containing the appropriate SSL certificate and chain. As far as I can tell, AutoSSL doesn't update the certificate in /var/cpanel/ssl/domain_tls/. I'm not sure which cPanel component is supposed to do that. (And I haven't updated anything on the server recently, so this might be e.g. a side-effect of LetsEncrypt's old trust root expiring recently). The quickest workaround I can think of is to manually create directory /var/cpanel/ssl/domain_tls/mail.example.com/ containing a file called "combined" containing the appropriate private key and certificates (whole trust chain). I don't want to do that by hand for 1000 domains though, so I will see if I can write some script for this...
    0
  • StevenC99
    ... just so they can keep working until DV completes.

    My Domain Validation with LetsEncrypt did complete. The problem is, the new certificates didn't get put into /var/cpanel/ssl/domain_tls/ for whatever reason.
    0
  • grindlay
    My Domain Validation with LetsEncrypt did complete. The problem is, the new certificates didn't get put into /var/cpanel/ssl/domain_tls/ for whatever reason.

    Neither did mine, until I ran the cPanel patch script this morning.
    0
  • Misiek
    [root@one mail.mydomain.pl]# ls -la total 104 drw-r--r-- 2 root root 4096 Oct 1 08:33 . drwx--x--x 1100 root root 69632 Oct 1 13:16 .. -rw-r--r-- 1 root root 3793 Oct 1 08:33 certificates -rw-r--r-- 2 root root 6325 Oct 1 08:33 certificates.cache -rw-r----- 1 root mail 5468 Oct 1 08:33 combined -rw-r--r-- 2 root root 6 There all there still thunderbird reports error when sending email
    0
  • StevenC99
    Thanks for the pointer to the autofixer script! It seems the script (
    0
  • StevenC99
    -rw-r----- 1 root mail 5468 Oct 1 08:33 combined

    For clues, run "openssl s_client -connect localhost:smtps -servername mail.mydomain.pl -CAfile /etc/ssl/certs/ca-bundle.crt" and see which certificate was offered by Exim (subject=/CN=...), and exactly the validation error was. For me, it was "certificate is expired", not referring to my certificate though, but to the old LetsEncrypt root CA that expired recently.
    0
  • Misiek
    Did it pointing to hostname.pl not to mail.domain.pl
    0
  • StevenC99
    Did it pointing to hostname.pl not to mail.domain.pl

    That should be ok. You got the certificate for hostname.pl which should have a Subject Alternative Name for each subdomain including mail.domain.pl. Important is, you should get "Verify return code: 0 (ok)" which means the certificate and chain are all correct. Then it should be OK for your clients too.
    0
  • Misiek
    Nope that do not work, i get 0 ok but client gets : Sending of the message failed. Unable to communicate securely with peer: requested domain name does not match the server"s certificate. The configuration related to mail.domain.pl must be corrected.
    0
  • cPRex Jurassic Moderator
    We're currently working on a plan that will more properly update the SNI configurations as well, as that will also run as part of an updated autofixer. I'll post in the main thread at as I get more updates.
    0

Please sign in to leave a comment.