Certificate subject and host name mismatch

Please be sure to review the Instructions page in the MiaB admin dashboard under the Mail & Users menu.

Where it states Mail Server box.example.net this means both the IMAP server and SMTP server use the value.

Also note you should not use the “Accept all certificates” option.

Are you able to share the server name so we can check the certificates directly?

If you’re not willing to share it on the main forum, you could drop me a PM.

Tim

what do you mean server name do you mean server url?

That’s correct. Just so I can try connecting to it and see what’s going on with the certificate.

Tim

I personal messaged you it

I was having a look at the screenshot you posted. Not sure why the server name shows mismatch, but have you tried changing the server name to box.fee-mail.tk. As by default the server name drops to the bare domain. I’m seeing the same when I try to enter a mail in my ravenstar68.co.uk domain. The Gmail app defaults to putting the server name as ravenstar68.co.uk However if I change it to my box.timothydutton.co.uk it works.

oh I never tried putting box in the URL

it doesn’t connect when I put box in the URL it appears it’s only looking for it at the main domain

fee-mail.tk has no MX record.

@openletter

I beg to differ:

 ; <<>> DiG 9.16.8 <<>> mx fee-mail.tk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49323
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fee-mail.tk.                   IN      MX

;; ANSWER SECTION:
fee-mail.tk.            886     IN      MX      10 box.fee-mail.tk.

;; Query time: 196 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Wed Dec 09 22:15:48 GMT Standard Time 2020
;; MSG SIZE  rcvd: 60

@bobby99 - What I’ve done is fired up openssl s_client tool to connect to box.fee-mail.tk on port 993 SSL/TLS (IMAP) and Port 587 STARTTLS (SMTP)

Both ports are open and accepting connections. So you need to make sure that those are the values you put in the Gmail app.

Now I’m sure you’re going to want to know why you’re getting the error when you use just fee-mail.tk as the server in the Gmail app.

This is because the certificates returned by the server will have two fields of interest to the Gmail App

CN or Common name - This specifies the hostname that the certificate is intended to verify.
SAN field - Subject Alternate Name field - This contains a list of hostnames INCLUDING the same hostname as found in the CN field.

For the certificate to be valid the hostname specified in the Gmail app (or web browser for that matter) MUST appear in the SAN field.

When you connect to the email server - it only has one certificate it can use - box.fee-mail.tk

Thus when you connect to the mail server port using a hostname of fee-mail.tk Gmail takes a look at the SAN field and says HOLD ON A MINUTE this certificate isn’t meant to be used on this host.

Therefore make sure that Gmail is using the following hosts

Inbound - box.fee-mail.tk Port 993 SSL/TLS
Outbound - box.fee-mail.tk port 587 StartTLS

Note: that Josh is looking into changing the outbound port at some point to fall in line with recent recommendations in the RFC’s. But the above will work as is for now.

Tim

1 Like

that helped a lot thanks but why does it work with the main domain if it doesn’t have any records?

Well, shows to go you should always check twice, but I used dig just the same and it reported no record.

Hm, seems some strangeness when I use an external tool:

There’s definitely something odd going on here.

When I do an ordinary DIG for NS type - (using both Cloudflare and Google Public DNS)

C:\Users\timdu>dig ns fee-mail.tk @8.8.8.8

; <<>> DiG 9.16.8 <<>> ns fee-mail.tk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29875
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fee-mail.tk.                   IN      NS

;; ANSWER SECTION:
fee-mail.tk.            1799    IN      NS      ns1.box.fee-mail.tk.
fee-mail.tk.            1799    IN      NS      ns2.box.fee-mail.tk.

;; Query time: 173 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 10 08:53:51 GMT Standard Time 2020
;; MSG SIZE  rcvd: 80

But when I use the +trace directive

C:\Users\timdu>dig +trace fee-mail.tk

; <<>> DiG 9.16.8 <<>> +trace fee-mail.tk
;; global options: +cmd
.                       84490   IN      NS      c.root-servers.net.
.                       84490   IN      NS      e.root-servers.net.
.                       84490   IN      NS      b.root-servers.net.
.                       84490   IN      NS      l.root-servers.net.
.                       84490   IN      NS      m.root-servers.net.
.                       84490   IN      NS      k.root-servers.net.
.                       84490   IN      NS      g.root-servers.net.
.                       84490   IN      NS      i.root-servers.net.
.                       84490   IN      NS      a.root-servers.net.
.                       84490   IN      NS      f.root-servers.net.
.                       84490   IN      NS      j.root-servers.net.
.                       84490   IN      NS      d.root-servers.net.
.                       84490   IN      NS      h.root-servers.net.
.                       84490   IN      RRSIG   NS 8 0 518400 20201223050000 20201210040000 26116 . VkpvdZOqfqNitq8WvNgrBZacO2shFQzTpSmJMH0i+nh1Co7mM/k6gW85 MzrSL4hOdJJhUtCAsu9HWR3z/LfQHTg1cp5T2h4n9bqkg+TjsMEtO0x2 YVAI1a0MRXxyZhpCtn1CMWTHvFNWQpVu6l6808F8nvb64rIF3MGs/TXk MGlDKyW6bXjaFQ8UhQyeZzfNWki8JTnZ3zgvyj9rZOzqujuxw9OvfqA6 o3qXrdVTLNBz/iCvjY+gqJZ52GE2c3UtN9G0fUcXgKZIfTHV9TqEd86z OsN0kqe6gKpFqZMJe/eB9ogUhg+BedQQHJSRlIAZusSssPBeO/MLmI18 0R5Gmw==
;; Received 525 bytes from 192.168.1.254#53(192.168.1.254) in 19 ms

tk.                     172800  IN      NS      d.ns.tk.
tk.                     172800  IN      NS      c.ns.tk.
tk.                     172800  IN      NS      a.ns.tk.
tk.                     172800  IN      NS      b.ns.tk.
tk.                     86400   IN      NSEC    tkmaxx. NS RRSIG NSEC
tk.                     86400   IN      RRSIG   NSEC 8 1 86400 20201223050000 20201210040000 26116 . UEHRzwIJvkAT2R2k9GDbnzIm3/bjE8xs65l6hw3KmMAz/JmzZ8M5UlNs MQ+inR7/Y0yHouZinfB7kg7fBWsJ3uDdhGm+BA6Te3ofhjzU9I2Fejbl Km31eY5TSRWdEfOpBP69LroocEaWvfUn9JgFRJ0/Z/z+O/FBKyZsb6t2 YD0NPNgu9AoJyB57Tq0oNm6Cdzt3hTUSM+4vaj0I4BFPONRXWYE3v/Lt Zj3xqLX8ziT3Y8Yx/HlAS/ndV8RX7DcRh0003rZNEp7kpBn6DvSMyq6U ToMy5dcAmC2CG5/WlendFWM84e6ryP/YBKXz+aBk+ppHxEpPULLjetM0 v1nB0g==
;; Received 598 bytes from 2001:dc3::35#53(m.root-servers.net) in 26 ms

fee-mail.tk.            300     IN      NS      ns1.box.survival-fun.tk.
fee-mail.tk.            300     IN      NS      ns2.box.survival-fun.tk.
couldn't get address for 'ns1.box.survival-fun.tk': failure
couldn't get address for 'ns2.box.survival-fun.tk': failure
dig: couldn't get address for 'ns1.box.survival-fun.tk': no more

The ns records stored in the tk domain match the Whois, but the servers have no glue records. So I really don’t know how the DIG is getting anything at this point. I can duplicate this on two separate machines.

1 Like

Ok, too early in the morning for this but …

ns1.box.survival-fun.tk.
or
ns1.box.fee-mail.tk.

Things just got a lot more convoluted.

1 Like

oh I forgot to remove ns1.box.survival-fun.tk from one of my domains that was responsible for one of my old domains

As stated make sure that in the Gmail app - specify the server name as box.fee-mail.tk

Mail servers like Dovecot and postfix can only use one certificate and if you used the standard naming convention, that is the certificate that will be used.

The web server works differently and can be set up to use different certificates depending on the hostname passed to the web server in the GET headers.

oh I guess makes sense but why does it work with the main domain on gmail but theres no records for it

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.