Please be sure to review the Instructions page in the MiaB admin dashboard under the Mail & Users menu.
Where it states Mail Server box.example.net this means both the IMAP server and SMTP server use the value.
Also note you should not use the “Accept all certificates” option.
Are you able to share the server name so we can check the certificates directly?
If you’re not willing to share it on the main forum, you could drop me a PM.
Tim
what do you mean server name do you mean server url?
That’s correct. Just so I can try connecting to it and see what’s going on with the certificate.
Tim
I personal messaged you it
I was having a look at the screenshot you posted. Not sure why the server name shows mismatch, but have you tried changing the server name to box.fee-mail.tk. As by default the server name drops to the bare domain. I’m seeing the same when I try to enter a mail in my ravenstar68.co.uk domain. The Gmail app defaults to putting the server name as ravenstar68.co.uk However if I change it to my box.timothydutton.co.uk it works.
oh I never tried putting box in the URL
it doesn’t connect when I put box in the URL it appears it’s only looking for it at the main domain
fee-mail.tk has no MX record.
I beg to differ:
; <<>> DiG 9.16.8 <<>> mx fee-mail.tk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49323
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fee-mail.tk. IN MX
;; ANSWER SECTION:
fee-mail.tk. 886 IN MX 10 box.fee-mail.tk.
;; Query time: 196 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Wed Dec 09 22:15:48 GMT Standard Time 2020
;; MSG SIZE rcvd: 60
@bobby99 - What I’ve done is fired up openssl s_client tool to connect to box.fee-mail.tk on port 993 SSL/TLS (IMAP) and Port 587 STARTTLS (SMTP)
Both ports are open and accepting connections. So you need to make sure that those are the values you put in the Gmail app.
Now I’m sure you’re going to want to know why you’re getting the error when you use just fee-mail.tk as the server in the Gmail app.
This is because the certificates returned by the server will have two fields of interest to the Gmail App
CN or Common name - This specifies the hostname that the certificate is intended to verify.
SAN field - Subject Alternate Name field - This contains a list of hostnames INCLUDING the same hostname as found in the CN field.
For the certificate to be valid the hostname specified in the Gmail app (or web browser for that matter) MUST appear in the SAN field.
When you connect to the email server - it only has one certificate it can use - box.fee-mail.tk
Thus when you connect to the mail server port using a hostname of fee-mail.tk Gmail takes a look at the SAN field and says HOLD ON A MINUTE this certificate isn’t meant to be used on this host.
Therefore make sure that Gmail is using the following hosts
Inbound - box.fee-mail.tk Port 993 SSL/TLS
Outbound - box.fee-mail.tk port 587 StartTLS
Note: that Josh is looking into changing the outbound port at some point to fall in line with recent recommendations in the RFC’s. But the above will work as is for now.
Tim
that helped a lot thanks but why does it work with the main domain if it doesn’t have any records?
Well, shows to go you should always check twice, but I used dig just the same and it reported no record.
Hm, seems some strangeness when I use an external tool:
There’s definitely something odd going on here.
When I do an ordinary DIG for NS type - (using both Cloudflare and Google Public DNS)
C:\Users\timdu>dig ns fee-mail.tk @8.8.8.8
; <<>> DiG 9.16.8 <<>> ns fee-mail.tk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29875
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fee-mail.tk. IN NS
;; ANSWER SECTION:
fee-mail.tk. 1799 IN NS ns1.box.fee-mail.tk.
fee-mail.tk. 1799 IN NS ns2.box.fee-mail.tk.
;; Query time: 173 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 10 08:53:51 GMT Standard Time 2020
;; MSG SIZE rcvd: 80
But when I use the +trace directive
C:\Users\timdu>dig +trace fee-mail.tk
; <<>> DiG 9.16.8 <<>> +trace fee-mail.tk
;; global options: +cmd
. 84490 IN NS c.root-servers.net.
. 84490 IN NS e.root-servers.net.
. 84490 IN NS b.root-servers.net.
. 84490 IN NS l.root-servers.net.
. 84490 IN NS m.root-servers.net.
. 84490 IN NS k.root-servers.net.
. 84490 IN NS g.root-servers.net.
. 84490 IN NS i.root-servers.net.
. 84490 IN NS a.root-servers.net.
. 84490 IN NS f.root-servers.net.
. 84490 IN NS j.root-servers.net.
. 84490 IN NS d.root-servers.net.
. 84490 IN NS h.root-servers.net.
. 84490 IN RRSIG NS 8 0 518400 20201223050000 20201210040000 26116 . VkpvdZOqfqNitq8WvNgrBZacO2shFQzTpSmJMH0i+nh1Co7mM/k6gW85 MzrSL4hOdJJhUtCAsu9HWR3z/LfQHTg1cp5T2h4n9bqkg+TjsMEtO0x2 YVAI1a0MRXxyZhpCtn1CMWTHvFNWQpVu6l6808F8nvb64rIF3MGs/TXk MGlDKyW6bXjaFQ8UhQyeZzfNWki8JTnZ3zgvyj9rZOzqujuxw9OvfqA6 o3qXrdVTLNBz/iCvjY+gqJZ52GE2c3UtN9G0fUcXgKZIfTHV9TqEd86z OsN0kqe6gKpFqZMJe/eB9ogUhg+BedQQHJSRlIAZusSssPBeO/MLmI18 0R5Gmw==
;; Received 525 bytes from 192.168.1.254#53(192.168.1.254) in 19 ms
tk. 172800 IN NS d.ns.tk.
tk. 172800 IN NS c.ns.tk.
tk. 172800 IN NS a.ns.tk.
tk. 172800 IN NS b.ns.tk.
tk. 86400 IN NSEC tkmaxx. NS RRSIG NSEC
tk. 86400 IN RRSIG NSEC 8 1 86400 20201223050000 20201210040000 26116 . UEHRzwIJvkAT2R2k9GDbnzIm3/bjE8xs65l6hw3KmMAz/JmzZ8M5UlNs MQ+inR7/Y0yHouZinfB7kg7fBWsJ3uDdhGm+BA6Te3ofhjzU9I2Fejbl Km31eY5TSRWdEfOpBP69LroocEaWvfUn9JgFRJ0/Z/z+O/FBKyZsb6t2 YD0NPNgu9AoJyB57Tq0oNm6Cdzt3hTUSM+4vaj0I4BFPONRXWYE3v/Lt Zj3xqLX8ziT3Y8Yx/HlAS/ndV8RX7DcRh0003rZNEp7kpBn6DvSMyq6U ToMy5dcAmC2CG5/WlendFWM84e6ryP/YBKXz+aBk+ppHxEpPULLjetM0 v1nB0g==
;; Received 598 bytes from 2001:dc3::35#53(m.root-servers.net) in 26 ms
fee-mail.tk. 300 IN NS ns1.box.survival-fun.tk.
fee-mail.tk. 300 IN NS ns2.box.survival-fun.tk.
couldn't get address for 'ns1.box.survival-fun.tk': failure
couldn't get address for 'ns2.box.survival-fun.tk': failure
dig: couldn't get address for 'ns1.box.survival-fun.tk': no more
The ns records stored in the tk domain match the Whois, but the servers have no glue records. So I really don’t know how the DIG is getting anything at this point. I can duplicate this on two separate machines.
Ok, too early in the morning for this but …
ns1.box.survival-fun.tk.
or
ns1.box.fee-mail.tk.
Things just got a lot more convoluted.
oh I forgot to remove ns1.box.survival-fun.tk from one of my domains that was responsible for one of my old domains
As stated make sure that in the Gmail app - specify the server name as box.fee-mail.tk
Mail servers like Dovecot and postfix can only use one certificate and if you used the standard naming convention, that is the certificate that will be used.
The web server works differently and can be set up to use different certificates depending on the hostname passed to the web server in the GET headers.
oh I guess makes sense but why does it work with the main domain on gmail but theres no records for it
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.