Gmail issues with TLS MercuryMail

Hello! I have an XAMPP server on Win10 running the updated Mercury/32 v4.8.
DOMAIN - https://www.jvond.com
My Let's Encrypt certificates seem to work just fine on my sites and server but I've been having trouble with my email server and gmail.
I'm able to receive email into my SMTP with SSL enable with all apps BUT gmail. Gmail rejects it at the STARTTLS. I can get gmail to work with unsecure settings but then I'm flagged by the main servers like yahoo will temporary deffer me for 24hours and gmail with spam box everything, so I'm desperate to run secure headers, at least..

I have multiple domains on my server so I tried to make a dedicated certificate for mail.jvond.com to see if that would help and it's still getting rejects from gmail. Here's an image of my server stats. You can see gmail making multiple attempts to deliver queued test msg's, and below those is a yahoo msg that made it through and delivered.

I've actually been in an trouble shooting email chain with Dave the Mercury dev. about this issue and as we progress he did recommend a different CA but I'd prefer to use Let's Encrypt.
I'm not a dev at all, more like a butthead.
Any suggestions or help is much appreciated. I'll be sure to help others in the process. Thanks! ~J

Hi @JVonD

I don't know how Mercury works.

But checking your mail.jvond.com - port 25, 465, 587 with OpenSsl, there is no certificate.

So the Gmail result is expected.

PS: See your screenshot: Perhaps you should first create a self signed certificate, then check, if that self signed is used. If yes, upgrade. See the description of "Certificate creation and management".

Thank you so much for your reply JuergenAuer. I really appreciate great ppl like you and David from Mercury for trying to help me.
I removed the PEM from Let's Encrypt and made a Self Signed version and I was able to send mail out with my squirrelmail, and it actually says it's TLS. Stoked!!
Then I try and test it with some others and they don't like it. Here's gmail's msg,

And SSL Tools checker don't like it either.
I'm just clueless. Bad handshake possibly?
I don't know if I need to do something different with Let's Encrypt or if I can use the same certificate that my server is using for the websites.
David was saying that his team got Mercury to work with Let's Encrypt but I'm having trouble figuring out what exactly I'm doing wrong. It might be so basic that it is nothing for a Dev guy. Something that might take a dev 1min would take me years to figure out.
Thanks again!
I just don't want to depend on google or other big tech anymore and would love my own email on my own server.

i did some work on this a while ago Tutorial - Testing Mail Protocols with SSL/TLS

the key thing to understand is what protocols you are trying to use where (which is what i am not sure)

but I've been having trouble with my email server and gmail.

I don't understand this. Are you using gmail to forward emails to your SMTP server?

If so here are the checks to run

openssl s_client -connect mail.jvond.com:25 -starttls smtp -tls1_2
openssl s_client -connect mail.jvond.com:587 -tls1_2
openssl s_client -connect mail.jvond.com:587 -starttls smtp -tls1_2
openssl s_client -connect mail.jvond.com:465 -tls1_2

As pointed out before none of these servers are currently creating an SSL connection.

SMTP has had many revisions which is why you need to be careful which port you use

I think google would prefer port 465 to be open which is SMTP with SSL by default.

Don't forget to add -servername for a slightly more realistic test in general (since the OpenSSL client can then send SNI, like most other TLS clients do).

yup was just fixing that up

@JVonD

here is an example of my mailserver provider with SMTP configured (they use let's encrypt btw)

@JVonD -- i suspect that you may need to bundle your certificate and private key in a format like PFX

I haven't been able to find any manuals for MercuryMail however given that in the configs there is only one setting make me suspicious that is the missing piece of the puzzle

Other mail servers i have worked with have 2x configs (one for the certificate and one for the private key). The fact there is no mention of a private key and handshakes aren't happening is puzzling.

Can you create the self signed certificate and let us know what the path looks likes

If it's a format like PFX then you will need an extra step

Thanks again guys! I learnt a lot ahaw021 Andrei. The tutorial is great!
My problem is I don't have the brain to even figure out how to get the script to work.
My Let's Encrypt key looks similar to yours when I open it in notepad++ but I don't know if I need to have it signed differently by Let'sEncrypt or what.
Although I would like to be able to route email through gmail, at this point I just want my own email to work. Here's the error from me sending a msg from gmail to my server.

TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): 7622310993928:error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:third_party/openssl/boringssl/src/ssl/tls_record.cc:594:SSL alert number 40 ;7622310993928:error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO:third_party/openssl/boringssl/src/ssl/handshake.cc:603

I did try the openssl codes in my XAMPP shell and they worked.
But I don't know the first thing about fixing the problems. Have a good laugh..

I'm clueless and lost (aka: meathead). I just need to pay someone willing to conference with me for a bit and tell me what I'm doing wrong.
If you know of any other tutorials that might help or if someone wants to conference please let me know?
I'm so burnt out...

Thanks again for all the great info. Although I wasn't able to figure out how to use Let's Encrypt's certificate I was able to get gmail to send through Mercury via STARTTLS with a self signed Certificate. Gmail was known for rejecting Self Signed Certificates in the past but this new version of Mercury (v4.8) must be doing a better job at creating one.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.