SSL error when connecting to mail server

mediamix · May 13, 2018, 12:10pm

I am using Lets Encrypt to issue SSL certificates on my Ubuntu 16.04 server that uses ispconfig.

When I add an email account to Thunderbird email client I get the following message:

This site attempts to identify itself with incorrect information
Wrong Site

If I view the certificate Thunderbird reports that the certificate is issued to and issued by is
Common Name is ubuntu-1.mediamix-nj.com
Organization is Servisys di Temporini Matteo

If I do an SSL test using www.ssllabs.com on mmix.net, ubuntu-1.mediamix-nj.com or mediamix-nj.com I see the correct organization of MediaMix

Any idea of what is wrong?

Thanks in advance for your help.

Osiris · May 13, 2018, 12:17pm

What is the hostname you're using and for which protocol? SMTP or IMAP or POP3?

But SSLLabs only tests for port 443, i.e., HTTPS. Not IMAP or SMTP.

When I connect to mmix.net:25 with STARTTLS, I get a self signed certificate:

Certificate chain
 0 s:/C=IT/ST=Italy/L=Udine/O=Servisys di Temporini Matteo/OU=IT department/CN=ubuntu-1.mediamix-nj.com
   i:/C=IT/ST=Italy/L=Udine/O=Servisys di Temporini Matteo/OU=IT department/CN=ubuntu-1.mediamix-nj.com

And not your valid Let's Encrypt certificate(s).

rg305 · May 13, 2018, 12:18pm

SSL Labs tests against port 443.
Thunderbird opens connections for POP (110 or 995), IMAP (143 or 993), and SMTP (25, 465, or 587).

So, your web server and your email server are using two different certs on two (or more) different ports.

See:
openssl s_client -connect mmix.net:143 -starttls imap
openssl s_client -connect mmix.net:465
openssl s_client -connect mmix.net:587 -starttls smtp
openssl s_client -connect mmix.net:993
openssl s_client -connect mmix.net:995

as opposed to:
openssl s_client -connect mmix.net:443 -servername mmix.net

So the LE cert is there, it just needs to be used by your email server.

mediamix · May 13, 2018, 1:21pm

Thanks for taking the time to reply with the reason for the problem.
Any advice on how to fix it?

Thanks again

rg305 · May 13, 2018, 1:47pm

Lookup how to add a certificate into the email server software you are using.
The ceritificate files can be found at:
/etc/letsencrypt/live/<cert name>/

system · June 12, 2018, 1:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.