WEIRD: Gmail POP3 client suddenly refusing to play with my cert


#1

My domain is: smtp.hatters.org.uk

I ran this command: certbot certificates

It produced this output:

Found the following certs:
  Certificate Name: smtp.hatters.org.uk
    Domains: smtp.hatters.org.uk imap.hatters.org.uk pop.hatters.org.uk pop3.hatters.org.uk postfix.hatters.org.uk
    Expiry Date: 2018-10-28 18:47:04+00:00 (VALID: 70 days)
    Certificate Path: /etc/letsencrypt/live/smtp.hatters.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/smtp.hatters.org.uk/privkey.pem

My web server is (include version): none (LE standalone)

The operating system my web server runs on is (include version): Ubuntu 16.04.5

My hosting provider, if applicable, is: Jump Networks UK

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


I’ve been using a standalone cert for my mail server for the past year or more, until I did a reboot for a kernel update yesterday. Since then, people using Gmail as a POP3 client to pick up mail from the server are being timed out.

If they use the login details they used before (smtp.hatters.org.uk using SSL over port 995) they get a message:

Server returned error: “Connection timed out: There may be a problem with the settings you added. Please contact your other email provider to verify the correct server name and port.”

And I don’t see anything in the logs on the server.

If I try the IP address instead, it shows the message:

Server returned error: “SSL error: ok IP address “185.73.44.60” not found in SANs Valid hostnames: ,imap.hatters.org.uk,pop.hatters.org.uk,pop3.hatters.org.uk,postfix.hatters.org.uk,smtp.hatters.org.uk

And I see this in the log on the server:

Aug 19 09:15:00 lorina dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=209.85.213.129, lip=185.73.44.60, TLS: Disconnected, session=<7gqcY8VzhYvRVdWB>

If the reboot of the mail server has changed something (it was for a kernel update), I can’t tell what. And we’ve done reboots in the past without problems.

I can also connect OK using Thunderbird to a test account. So has Google changed something? Do I need to add the IP address to the list of hostnames as the error implies? That seems odd.

Does anyone know what’s going on here?


#2

You’ve got an IPv6 address on smtp.hatters.org.uk:

smtp.hatters.org.uk. 3600 IN CNAME lorina.hatters.org.uk.
lorina.hatters.org.uk. 3600 IN AAAA 2001:ba8:0:2c38::3c

But I can’t connect to that IP address on port 110 nor 995.

Probably the issue. Everything over IPv4 works nicely.


#3

Wow! IPv6 never occured to me. Maybe some network issue since the reboot then. Will investigate. Thanks!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.