TLS error from gmail when trying to retreive email for an account linked to a gmail account

Hi Guys and Happy New Year!

Came across something interesting and thought I should share it with you.

This is on a mail server - been in production for quite a while and running rock solid - we use Lets Encrypt ssl and the cert automatically renewed 1/1/21. On the 2nd we had a client contact us stating all there email accounts at gmail could no longer send email through their accounts hosted with us.

(If you log into your gmail account you will find what I am referring to under Settings (gear icon top right) -> See All Settings -> Accounts and Import -> Check mail from other accounts)

The error was 'Server returned an error: "TLS Negotiation failed, the certificate doesn't match the host., code: 0"

Clearly related to the new cert on 1/1/21 since nothing else had changed. My original main.cf had the following:

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem

Those 3 files are located in /etc/postfix/ and were correctly updated with the certificate renewal.

The change I had to make to satisfy gmail was give them a "fullchain" cert that included intermediaries, so I cat /home/mail08.dashsystems.com/ssl.combined > /etc/postfix/postfix.combined.pem and changed to smtpd_tls_cert_file = /etc/postfix/postfix.combined.pem.

The gmail accounts worked again - wanted to let you so you can add the "combined" file to postfix on certificate renewals.

If you need any other info let me know!
-- Craig

Status: 
Active
Virtualmin version: 
6.14
Webmin version: 
1.962

Comments

So did your Let's Encrypt cert renew on 1/1/21 ? If so, do you have the certbot command installed on your system?

Yes, renewed on 1/1/21.

Just a regular installation of virtualmin installed probably a couple years ago... certbot is not installed.

Ilia's picture
Submitted by Ilia on Mon, 01/04/2021 - 14:47

Please install certbot command and re-request Let's Encrypt certificate.