Postfix "requested domain name does not match the server’s certificate"

My domain is:
mail.unofficial-tesla-tech.com

I ran this command:
Tried to send an email.

It produced this output:
Sending of the message failed.
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
The configuration related to mail.unofficial-tesla-tech.com must be corrected.

My web server is (include version):
Postfix 3.5.7 1.gf.el7

The operating system my web server runs on is (include version):
CentOS 7.6

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0

Looking at the cert it was just renewed and is current. This is the first time I've tried to send an email since the change. Been running this system for over a year and it's been fine until now.

1 Like

Hi @Quantum

the wrong result is expected. Checking your SMTP port 25 there is a certificate with mail.quantum-equities.com, so the domain name is wrong.

  • Use that domain name to connect (or)
  • check, if your mail client supports SNI, so you can create an additional vHosts with a different certificate (or)
  • create one certificate with both domain names
1 Like

Oh dear. Indeed quantum-equities is the main mail server, but I don't understand why it worked before? I do have a cert for mail.unofficial-tesla-tech.com.

And I don't understand why in postfix, setting virtual-mailbox-domains suddenly doesn't work?

1 Like

I'm not sure you can use SMTP with multiple certificates as is done with web services (using SNI).
The email server should only need one cert, to match the one name.
That one name can serve many domains - the extreme example is Gmail; which serves millions of domains. I can't imagine them having to load millions of certificates to do that.

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

I don't understand how it worked until the automatic cert update. And why it no longer works, with virtual-mailbox-domains.

If a virtual-mailbox-domain is set, and the cert is set to one of those domains, it should work; like it used to.


Is it possible that your previous certificate listed both names?

I believe the rule that MTAs use is that the certificate should match the name of the target of the DNS MX record. But are you looking at a submission by an MUA here? Which MUA, port, and protocol?

1 Like

Hello schoen, there's been no change to my cert. It just renewed automatically like my other 5 certs, and two other of those are for email, each of which is still working. One of those is a virtual mailbox domain like unofficial-tesla-tech.

I can't post a screenshot here, but my MUA is Thunderbird v 78.3.1 (64-bit). It sends through port 587 (StartTLS) to mail.unofficial-tesla-tech.com, which is at my OpenStack instance running self-rolled Postfix, Dovecot, and a number of milters.

MUA is Thunderbird

Yes, it looks like your previous certs also covered the same name—so that's kind of strange, isn't it?

Is there a Thunderbird forum? Maybe the Thunderbird community would have a better instinct about possible causes for this issue. (I understand that that the cert renewal seemed to prompt the problem, but we also see that it doesn't look like the cert itself changed in any relevant way.)

1 Like

I am trying very hard now to learn SilverBlue so I can switch over to that, some weekend. Maybe that will reveal something in the process.