WEIRD: Gmail POP3 client suddenly refusing to play with my cert

My domain is: smtp.hatters.org.uk

I ran this command: certbot certificates

It produced this output:

Found the following certs:
  Certificate Name: smtp.hatters.org.uk
    Domains: smtp.hatters.org.uk imap.hatters.org.uk pop.hatters.org.uk pop3.hatters.org.uk postfix.hatters.org.uk
    Expiry Date: 2018-10-28 18:47:04+00:00 (VALID: 70 days)
    Certificate Path: /etc/letsencrypt/live/smtp.hatters.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/smtp.hatters.org.uk/privkey.pem

My web server is (include version): none (LE standalone)

The operating system my web server runs on is (include version): Ubuntu 16.04.5

My hosting provider, if applicable, is: Jump Networks UK

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no


I've been using a standalone cert for my mail server for the past year or more, until I did a reboot for a kernel update yesterday. Since then, people using Gmail as a POP3 client to pick up mail from the server are being timed out.

If they use the login details they used before (smtp.hatters.org.uk using SSL over port 995) they get a message:

Server returned error: "Connection timed out: There may be a problem with the settings you added. Please contact your other email provider to verify the correct server name and port."

And I don't see anything in the logs on the server.

If I try the IP address instead, it shows the message:

Server returned error: "SSL error: ok IP address "185.73.44.60" not found in SANs Valid hostnames: ,imap.hatters.org.uk,pop.hatters.org.uk,pop3.hatters.org.uk,postfix.hatters.org.uk,smtp.hatters.org.uk"

And I see this in the log on the server:

Aug 19 09:15:00 lorina dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=209.85.213.129, lip=185.73.44.60, TLS: Disconnected, session=<7gqcY8VzhYvRVdWB>

If the reboot of the mail server has changed something (it was for a kernel update), I can't tell what. And we've done reboots in the past without problems.

I can also connect OK using Thunderbird to a test account. So has Google changed something? Do I need to add the IP address to the list of hostnames as the error implies? That seems odd.

Does anyone know what's going on here?

You’ve got an IPv6 address on smtp.hatters.org.uk:

smtp.hatters.org.uk. 3600 IN CNAME lorina.hatters.org.uk.
lorina.hatters.org.uk. 3600 IN AAAA 2001:ba8:0:2c38::3c

But I can’t connect to that IP address on port 110 nor 995.

Probably the issue. Everything over IPv4 works nicely.

3 Likes

Wow! IPv6 never occured to me. Maybe some network issue since the reboot then. Will investigate. Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.