SSL - Gmail certificate Subject and hostname mismatch

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
blackice856
New user
New user
Posts: 6
Joined: 2018-12-11 14:53

SSL - Gmail certificate Subject and hostname mismatch

Post by blackice856 » 2018-12-11 15:24

Hello hMailServer comunity. This will be my first post but I need to address how wonderful this piece of software is. It's an amazing mail client that has not failed me once (yet :P ). I have been able to solve every problem I have run into because the comunity is really good too and the forum is a valuable source of knowledge.

However I have this one problem that I can't solve because my knowledge on SSL and domain records is a bit limited.

So I have my certificates from Lets Encrypt CA with the hostname of the MX record: mail.domain1.com. I configured the SSL/TLS ports for SMTP, POP3 and IMAP and also the certificate location in hMailServer. I have tested the domain on https://www.digicert.com/help/ with mail.domain1.com:465 and configured Outlook to use SSL/TLS and it works fine. Since I'm a nerd I have also used Wireshark (network sniffing tool) to compare the SSL connection vs unsecured, and the result is as expected.

Everything is working fine! I started to type an email for our clients with instructions on how to set up the new configurations for Outlook (the most used) and also for the Android Gmail app. I inserted my mail account credentials and then the app tries to connect there is a warning that the certificate is not valid. There is an advanced button and when I click it the error is the following: The subject of the certificate and the hostname do not match.

We have multiple domains configured in hMailServer and from my understanding the problem is that my credentials were postmaster@domain2.net (hostname) but the subject (the hostname used to issue the certificates) is mail.domain1.com. I got another certificate for domain2.net and configured it on hMailServer but the result is the same.

There's an option to bypass this warning but I'm sure most of our clients will be calling mad if google tells them that they can't guarantee their email is safe.

Does anyone knows how to tackle this?

Thanks in advance!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8518
Joined: 2011-09-08 17:48

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by jimimaseye » 2018-12-11 20:33

run this and post the results: viewtopic.php?f=20&t=30914 as it gives the helpers an easy to read view.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by Virinum » 2018-12-11 21:33

I recently tried to explain some examples with SSL: viewtopic.php?f=7&t=33198&p=208260#p208260
Maybe it helps you.

Also you should include the chain certificate of letsencrypt. So the certificate chain is complete.

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by mattg » 2018-12-11 23:06

My lets encrypt certs are in the name 'mx.example.com' (and yes use the fullchain - but I don't think that is your issue)

My SMTP >> Delivery of email >> local host name is 'example.com'
My RDNS or PTR is 'example.com'

My certs are accepted fine, by all mail clients
blackice856 wrote:
2018-12-11 15:24
I inserted my mail account credentials and then the app tries to connect there is a warning that the certificate is not valid. There is an advanced button and when I click it the error is the following: The subject of the certificate and the hostname do not match.
Which App is making the noise??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by mattg » 2018-12-11 23:14

blackice856 wrote:
2018-12-11 15:24
I have tested the domain on https://www.digicert.com/help/
Does that only check https connections?
I can't see that tool tests mail connections

try this one instead >> https://www.checktls.com/
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by Virinum » 2018-12-11 23:34

Here the tools I use for testing:

SMTP (Port 25, StartTLS) Mailserver to Mailserver:
https://ssl-tools.net/mailservers

IMAP/POP/SMTP for Clients (supports only SSL/TLS, not StartTLS):
https://www.sslshopper.com/ssl-checker.html
Enter something like smtp.example.com:465, pop.example.com:995 or imap.example.com:993.


Is it possible your Android Gmail app is "guessing" the wrong hostnames for IMAP/SMPT/POP and that's the reason why you get a warning?

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by palinka » 2018-12-11 23:40

Virinum wrote:
2018-12-11 21:33
Also you should include the chain certificate of letsencrypt. So the certificate chain is complete.
This for sure. I'm not even sure you'll get anything to work properly without this.

Also, I could be mistaken, but this seems like a simple case of mistaken identity. Try this: make a new certificate that includes all domains that you're using. LE is capable of SAN certificates by default.

For example, my certificate contains domain1.com, mail.domain1.com, smtp.domain1.com, auto discover, imap, pop, etc, etc plus all the same for every other domain. All that is loaded into one SAN certificate. Then the chain certificate is used in hmailserver.

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by palinka » 2018-12-11 23:42

Virinum wrote:
2018-12-11 23:34

Is it possible your Android Gmail app is "guessing" the wrong hostnames for IMAP/SMPT/POP and that's the reason why you get a warning?
If the certificate is wrong/bad, the client will stop or ask you to ignore validation with a warning.

blackice856
New user
New user
Posts: 6
Joined: 2018-12-11 14:53

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by blackice856 » 2018-12-12 02:20

Thanks for all the responses I will try to address them all.
jimimaseye wrote:
2018-12-11 20:33
run this and post the results: viewtopic.php?f=20&t=30914 as it gives the helpers an easy to read view.
Here is the report I got with the HMSSettingsDiagnostics script:

Code: Select all

2018-12-11   Hmailserver: 5.6.6-B2383

DOMAINS

   "Domain1.com" - caxxxxxxxxxxx.com.pt           Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:              500   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - crxxxx.pt                      Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain3.com" - daxxxxxxx.net                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain4.com" - faxxxxxxxxxxxx.com.pt          Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain5.com" - inxxxxxxxx.com                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain6.com" - mexxxxxxxx.pt                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:              500   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain7.com" - quxxxxxxxxxxx.orx              Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:              500   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain8.com" - taxxxxxxxxxxxx.com             Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:              500   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain9.com" - texx.com.pt                    Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:              500   Enabled: False   
                   Max message size:    20000                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    -  True
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


   !!  Warning:  DEFAULT DOMAIN is SET  !! - "Domain5.com"
------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:     10
                              Minutes Before Reset:           30  (0,50 hours, 0,02 days)
                              Minutes to Autoban:             30  (0,50 hours, 0,02 days)

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 60   Plain Text:        False  Bind: 
                     Host: Domain5.com         Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings: False  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:  10  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:           False        Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:   False    
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2
  Add X-HmailServer-Subject: False    Verify DKIM:        True - 5

  Spam delete threshold: 20         Maximum message size: 1024

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 3     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
            b.barracudacentral.org      Score: 3     Result: 127.0.0.2

SURBL ENTRIES:
                   multi.surbl.org      Score: 3

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete email. Notify Sender: True,  Notify Receiver: False

  Max Message Size: 0
     CLAM AV:   False
     CLAMWIN:   True       Executable: C:\Program Files (x86)\ClamWin\bin\clamscan.exe    Path: C:\ProgramData\.clamwin\db
     CUSTOMAV:  False

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   correio.Domain5.com
       Certificate: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\correio.Domain5.com-chain.pem
       Private key: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\correio.Domain5.com-key.pem
   Domain3.com
       Certificate: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Domain3.com-chain.pem
       Private key: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Domain3.com-key.pem
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :   True
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   None                
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: correio.Domain5.com
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: correio.Domain5.com
               0.0.0.0         / 995   / POP3   -   SSL/TLS             Cert: correio.Domain5.com
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2018-12-11.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2018-12-11.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -      .
                        TCPIP       -    True
                        DEBUG       -      .
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

Backup directory G:\Mailserver_Backup is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: F:\hMailServer\DataBase
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MYSQL
Username=          mailadmin
PasswordEncryption=1
Port=              33306
Server=            localhost
Internal=          0
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.95, Hmailserver Forum.
Virinum wrote:
2018-12-11 21:33
I recently tried to explain some examples with SSL: viewtopic.php?f=7&t=33198&p=208260#p208260
Maybe it helps you.

Also you should include the chain certificate of letsencrypt. So the certificate chain is complete.
Really useful info, thanks! I think my situation relates to your first point.
mattg wrote:
2018-12-11 23:06
My lets encrypt certs are in the name 'mx.example.com' (and yes use the fullchain - but I don't think that is your issue)

My SMTP >> Delivery of email >> local host name is 'example.com'
My RDNS or PTR is 'example.com'

My certs are accepted fine, by all mail clients
blackice856 wrote:
2018-12-11 15:24
I inserted my mail account credentials and then the app tries to connect there is a warning that the certificate is not valid. There is an advanced button and when I click it the error is the following: The subject of the certificate and the hostname do not match.
Which App is making the noise??
Is the android Gmail app. I'm starting to notice a pattern here which includes RDNS or PTR and the full chain certificate. I'm not sure about the PTR record but when I use an online Reverse DNS tool the result is the hostname for the mailserver. What about the chain certificate? Can you elaborate on this? I will google it but appreciate it anyway :wink:
Virinum wrote:
2018-12-11 23:34
Here the tools I use for testing:

SMTP (Port 25, StartTLS) Mailserver to Mailserver:
https://ssl-tools.net/mailservers

IMAP/POP/SMTP for Clients (supports only SSL/TLS, not StartTLS):
https://www.sslshopper.com/ssl-checker.html
Enter something like smtp.example.com:465, pop.example.com:995 or imap.example.com:993.


Is it possible your Android Gmail app is "guessing" the wrong hostnames for IMAP/SMPT/POP and that's the reason why you get a warning?
About the hostnames for IMAP, SMTP and POP3. Are they really necessary? All of these services run on the same server with the same IP. I always use mail.domain1.com on every mail client and works!
palinka wrote:
2018-12-11 23:40
Virinum wrote:
2018-12-11 21:33
Also you should include the chain certificate of letsencrypt. So the certificate chain is complete.
This for sure. I'm not even sure you'll get anything to work properly without this.

Also, I could be mistaken, but this seems like a simple case of mistaken identity. Try this: make a new certificate that includes all domains that you're using. LE is capable of SAN certificates by default.

For example, my certificate contains domain1.com, mail.domain1.com, smtp.domain1.com, auto discover, imap, pop, etc, etc plus all the same for every other domain. All that is loaded into one SAN certificate. Then the chain certificate is used in hmailserver.
I have read and thought about this but I'm struggling to install another tool to manage my certificates because the one I'am currently using does not allow for manually create SAN certificates.

However I have created another certificate for domain2.com and used it on hMailServer but the error persists!

I will give more updates when I can get the new tool to work. Thanks for all the help!

palinka
Senior user
Senior user
Posts: 1915
Joined: 2017-09-12 17:57

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by palinka » 2018-12-12 03:55

blackice856 wrote:
2018-12-12 02:20

About the hostnames for IMAP, SMTP and POP3. Are they really necessary? All of these services run on the same server with the same IP. I always use mail.domain1.com on every mail client and works!

They're not necessary. The advantage is when you give someone a mailbox, you give them an email address and password. Then they go to set up their shiny new email in their client. The client will oftentimes suggest possible server connection information based on the domain of the email address which is preceded by "smtp.", "imap.", etc. If those things fail because the user doesn't know any better, then the user will throw the keyboard and curse you. But if those domains exist and you have a certificate for them, the client will connect and the user won't know any different or care - nor will he curse you and throw things.

Have a look at this for SAN certificate creation.
https://hmailserver.com/forum/viewtopic ... 21&t=32593

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by Virinum » 2018-12-12 09:50

palinka wrote:
2018-12-11 23:40
Virinum wrote:
2018-12-11 21:33
Also you should include the chain certificate of letsencrypt. So the certificate chain is complete.
This for sure. I'm not even sure you'll get anything to work properly without this.
It would work on devices which have the intermediate certificate of letsencrypt in store.
blackice856 wrote:
2018-12-12 02:20
Here is the report I got with the HMSSettingsDiagnostics script:
It already looks like you're using the chain-certificate. (correio.Domain5.com-chain.pem). So this shouldn't be the problem.

This won't be the problem, but you should change your TCP/IP-Ports to the table at the bottom of this page: https://www.hmailserver.com/documentati ... to_install
E.g. Port 25 with StartTLS (Optional).

Letsencrypt isn't compatible with all devices. What android smartphone do you have? Have a look at this page: https://letsencrypt.org/docs/certificate-compatibility/

Next idea: Do you have a wildcard at your dns pointing to your server? Or in other words: Are you sure the android gmail app is using the correct hostname for connection?

The simplest way would be if you say your domain. But give us this information only if you really want to.

For the certificates I'm using https://github.com/PKISharp/win-acme.
Remember to restart hMailServer when changing the certficate files. Otherwise hMailServer won't notice the change.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8518
Joined: 2011-09-08 17:48

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by jimimaseye » 2018-12-12 10:12

Unrelated to your problem but.....


.... you might want to review and apply viewtopic.php?f=21&t=26829 for your AV. Youll see a massive difference in performance.


and:

Code: Select all

LOGGING      Logging Enabled: True

  Paths:-
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2018-12-11.log - !! ERRORS PRESENT !!
What are the contents of the Error file? (this may help you).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

blackice856
New user
New user
Posts: 6
Joined: 2018-12-11 14:53

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by blackice856 » 2018-12-12 15:33

palinka wrote:
2018-12-12 03:55

They're not necessary. The advantage is when you give someone a mailbox, you give them an email address and password. Then they go to set up their shiny new email in their client. The client will oftentimes suggest possible server connection information based on the domain of the email address which is preceded by "smtp.", "imap.", etc. If those things fail because the user doesn't know any better, then the user will throw the keyboard and curse you. But if those domains exist and you have a certificate for them, the client will connect and the user won't know any different or care - nor will he curse you and throw things.

Have a look at this for SAN certificate creation.
https://hmailserver.com/forum/viewtopic ... 21&t=32593
Ok thanks for the tip. I already inserted those records in my DNS console and they are pointing to the mailserver. I followed that post before to create my first certificate but didn't knew about SAN certificates yet. I thought the only way possible to create them was with the IIS option!
Virinum wrote:
2018-12-12 09:50
It would work on devices which have the intermediate certificate of letsencrypt in store.

This won't be the problem, but you should change your TCP/IP-Ports to the table at the bottom of this page: https://www.hmailserver.com/documentati ... to_install
E.g. Port 25 with StartTLS (Optional).

Letsencrypt isn't compatible with all devices. What android smartphone do you have? Have a look at this page: https://letsencrypt.org/docs/certificate-compatibility/

Next idea: Do you have a wildcard at your dns pointing to your server? Or in other words: Are you sure the android gmail app is using the correct hostname for connection?
About the TCP/IP ports thanks for another tip! I will change that later because I think I need to gather a little bit more knowledge about StartTLS. Basically it "updates" the connection by trying to use TLS/SSL to secure the data flow. I guess that using IMAP and POP3 with StartTLS(Required) means that when the connection is made on those ports the connection MUST be updated or else it won't start, right? I just want to be sure that everything is working fine with the TLS/SSL before making such change. I completely ignored StartTLS before because encryption wasn't necessary.

I don't think I can create wildcard DNS records (my DNS management console is a bit limited) but that would solve the problem @palinka was talking about right?
If the app tries to guess the hostnames with something like smtp.domain1.com, and the record does not exists, it would point to domain1.com and connect
successfully?
jimimaseye wrote:
2018-12-12 10:12
Unrelated to your problem but.....


.... you might want to review and apply viewtopic.php?f=21&t=26829 for your AV. Youll see a massive difference in performance.


and:

Code: Select all

LOGGING      Logging Enabled: True

  Paths:-
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2018-12-11.log - !! ERRORS PRESENT !!
What are the contents of the Error file? (this may help you).
Thanks for the tip as well, it's something I will look into when I get this issue solved.

Code: Select all

"ERROR"	2896	"2018-12-11 23:19:27.937"	"Severity: 3 (Medium), Code: HM5400, Source: ProcessLauncher::Launch, Description: A launched process did not exit within an expected time. The command line is C:\Program Files (x86)\ClamWin\bin\clamscan.exe --database="C:\ProgramData\.clamwin\db" "{6E3A6ABF-8CD8-4EBD-9C21-0DBEFB26BF81}.tmp" --tempdir="C:\Program Files (x86)\hMailServer\Temp". The timeout occurred after 20000 milliseconds. hMailServer will continue to wait for process to finish."
I guess this is related to the AV optimization you were talking about. Definitely something to look into!

Thanks again guys I will create the SAN certificates and post more updates!

blackice856
New user
New user
Posts: 6
Joined: 2018-12-11 14:53

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by blackice856 » 2018-12-12 16:13

Guys you are all awesome. Thanks a lot I have worked it out.

The problem was with the certificate obviously. I created a SAN certificate with all the domains: domain2, smtp.domain1.com, pop3.domain1.com, imap.domain1.com, domain1.com

I used domain2.com (this is the main one for our company) as the certificate's common name.

Now when I try to configure the Android Gmail app with an account from domain2 or domain1 it works flawlessly with no errors. The app suggests domain2.com as the hostname but it works out because the mailserver and webserver are both at the same address (something to improve later with more $$). Just in case they were in separate servers, If I put an MX record in domain2.com pointing to mail.domain1.com would it solve the problem?

I confirm in the headers that the email is sent with TLSv1.2 so I think mission accomplished!

Just a few more questions:

If I change the default POP3 and IMAP ports to StartTLS(Required) is it necessary to make any changes in the clients mail client?

Why not StartTLS(Required) for the default SMTP port too? I know this is a simple protocol but shouldn't the sending of email be forced to be encrypted too?

Thanks again for all of your effort, I hope this post can be helpful to others as much it was for me! :D

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by Virinum » 2018-12-12 17:13

blackice856 wrote:
2018-12-12 16:13
If I change the default POP3 and IMAP ports to StartTLS(Required) is it necessary to make any changes in the clients mail client?
I'm not quite sure. I think it depends on the client. But chances are high it will work without changes.
blackice856 wrote:
2018-12-12 16:13
Why not StartTLS(Required) for the default SMTP port too? I know this is a simple protocol but shouldn't the sending of email be forced to be encrypted too?
There are a lot of mailserves out there which can't handle TLS. If you choose StartTLS(Required) these serves are not able to deliver mails to your server anymore.

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by mattg » 2018-12-12 23:16

blackice856 wrote:
2018-12-12 15:33
If the app tries to guess the hostnames with something like smtp.domain1.com, and the record does not exists, it would point to domain1.com and connect
successfully?
Autoconfigure >> http://www.hmailserver.com/forum/viewto ... 21&t=31549
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

blackice856
New user
New user
Posts: 6
Joined: 2018-12-11 14:53

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by blackice856 » 2018-12-13 00:47

Virinum wrote:
2018-12-12 17:13
blackice856 wrote:
2018-12-12 16:13
If I change the default POP3 and IMAP ports to StartTLS(Required) is it necessary to make any changes in the clients mail client?
I'm not quite sure. I think it depends on the client. But chances are high it will work without changes.
Well it works for the hostnames in the certificate!

blackice856
New user
New user
Posts: 6
Joined: 2018-12-11 14:53

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by blackice856 » 2018-12-13 03:09

Guys just one more question because I think is not worth open another thread because of this.

I'm using roundcube as webmail client and I'm having problems with the StartTLS protocol. I used HTTPS to secure the connection on the webmail client. Should I use SSL/TLS to secure the connection between roundcube and hMailServer? I don't think it's necessary because they are both in the same secured network. What is your opinion on that?

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by mattg » 2018-12-13 07:33

Easy as

I use something like
$config['default_host'] = 'tls://10.10.10.150';
$config['smtp_server'] = 'tls://10.10.10.150';
$config['smtp_port'] = 587;

It means that I can enforce SSL connections for my hMailserver for all connections
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by Virinum » 2018-12-13 07:51

I’ve created two (actually four because I also use IPv6) extra TCP/IP Ports:

1: SMTP / 127.0.0.1 / 587 / StartTLS (optional)
2: IMAP / 127.0.0.1 / 143 / StartTLS (optional)
3: SMTP / ::1 / 587 / StartTLS (optional)
4: IMAP / ::1 / 143 / StartTLS (optional)

So localhost can use TLS but doesn’t have to.

Also have a look at "potential problems" here: https://www.hmailserver.com/documentati ... ce_autoban
I once had this problem.

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL - Gmail certificate Subject and hostname mismatch

Post by mattg » 2018-12-13 08:33

That problem can happen with or without SSL

And the solution is really easy - just make the IP range have a priority higher than 20 (like say 25) and the autoban will never override it...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply