Email server certificate valid according to CheckTLS, invalid according to Thunderbird

email-serverssl-certificatessl-certificate-errors

I have set up an email server using docker-mailserver.

DKIM, SPF, and DMARC are configured fine.

SSL was set up using Let's Encrypt. Server has TLS and STARTTLS enabled.

I ran a TLS/SSL test on https://www.checktls.com/TestReceiver , and it said that my SSL works fine:

I am able to use Mozilla Thunderbird to receive and send email via the server:

However, when logging in to Thunderbird to receive email via IMAP, or when sending via SMTP, I see this warning (I am still able to send and receive email if I click on the "Confirm Security Exception" button.)

I checked a couple of other email TLS/SSL testing sites (1 and 2) and they seem to think my certs are not set up correctly ("The certificate doesn't match hostname").

Thoughts?

Update: I've managed to reach the point where imap.domainname.com is recognized by Thunderbird to have a valid certificate, but not imap.domainname.com:143. What would be a fix for this please?

Best Answer

The error message says exactly what your screenshots show: hostname in certificate does not match. You check your certificate with mail.yourdomain.com, and it says valid, so you created your certificate exactly for this hostname. You configure thunderbird to use imap.yourdomain.com.

Unless you configured your certificates to contain subject alternative names and include "imap.yourdomain.com" the error message is absolutely correct.

By default every certificate includes exactly one hostname, and that has to match.

Another possibility would be to purchase a wildcard certificate *.yourdomain.com. Wildcard certificates are usually more expensive while normal certificates with subject alternative names can even be free when using „lets encrypt“ and renew them every 90 days.

Related Solutions

Using self signed SSL for mail

I hate to differ, mailq, but SSL between MTAs (that is, between your mail server and other mail servers) is perfectly well-supported and well-understood. It runs happily on port 25. When you connect to a mail server offering this, it's advertised in the EHLO phase:

[madhatta@anni ~]$ telnet www.teaparty.net 25
Trying 193.219.118.100...
Connected to www.teaparty.net.
Escape character is '^]'.
220 : ESMTP you accept terms at http://www.teaparty.net/smtp.html
EHLO me
250-www.teaparty.net Hello 88-111-161-32.dynamic.dsl.as9105.com [88.111.161.32], pleased to meet you
[...]
250-STARTTLS
[...]

A fellow mail server who's willing to talk TLS can then request escalation to encrypted communication, and the rest of the SMTP conversation can then happen under cover of crypto. The signed or unsigned state of a peer's certificate shows up in my sendmail logs thus:

Sep 25 22:42:05 www sendmail[24905]: STARTTLS=server, relay=nagios.teaparty.net [82.26.102.225], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256

In this case, I'm connecting to the foreign server (or it would say STARTTLS=client) and I can't, using my certificate bundle, verify the peer's certificate (or it would say verify=YES). But it's perfectly sound crypto, and worth doing.

Other than that I agree with your (otherwise excellent) answer.

Sending emails with Thunderbird + Postfix + Zarafa does not work

I suppose you like to set up SMTP authentication on your mail server, but your Postfix configuration does not show any authentication configuration for clients. You could do this using SASL against the Zarafa-gateway (IMAP) like described here. Then configure Postfix to use your SASL (Cyrus for example) and 'trust' authenticated clients. Read more about that in the Postfix SASL Howto (part 'Mail relay authorization' in particular).

This way, all IMAP enabled users in Zarafa will have authorized SMTP relay access on your MTA.

Best Answer

Related Solutions

Using self signed SSL for mail

Sending emails with Thunderbird + Postfix + Zarafa does not work

Related Topic