Resolved TLS Negotiation failed, the certificate doesn't match the host.

[Ickov]

Hi all,

i am using gmail to send / receive emails via gmail interface last two days i have problem with TLS negotiation between my plesk server and gmail.

it says that username / password is not correct and this error message :


Authentication failed. Please check your username/password.
[Server response: TLS Negotiation failed: generic::failed_precondition: starttls error (0): protocol error code(0) ]


did someone has same problem and please for advise how to fix that

 

[SeanCJMorris]

I am having this problem too, would love some help!

 

[Ruslan Kosolapov]

Hi.

According to the error message, the certificate that Plesk server provides to Gmail during the connection, doesn't contain that domain name, that Gmail uses to connect to the Plesk server.

So, need to check:
1. what domain name used by Gmail (probably, account settings can show that, but I'd suggest reviewing maillog on the Plesk server)
2. what domain names are included into the mail certificate on the Plesk server
3. what domain names are included into the mail certificate on the domain (Mail SNI feature)

 

[Ickov]

Everything was function as well , but before few days it star showing this error, if i execute command tail -f /usr/local/psa/var/log/maillog there is nothing to show, it seems that gmail not connecting to the server

on gmail there are 3 options for ports, 587 - not work and show error , 465 i not using , and 25 now work ( but that is not secured port )

2. domain is without any certificate (if you mean for lets encrypt)

 

[SeanCJMorris]

Hi.

According to the error message, the certificate that Plesk server provides to Gmail during the connection, doesn't contain that domain name, that Gmail uses to connect to the Plesk server.

So, need to check:
1. what domain name used by Gmail (probably, account settings can show that, but I'd suggest reviewing maillog on the Plesk server)
2. what domain names are included into the mail certificate on the Plesk server
3. what domain names are included into the mail certificate on the domain (Mail SNI feature)

Hi Ruslan,
I don't have much experience with Plesk so could you help me a bit more to understand what you mean? I'm working with a Hosting service and want to see if I can address this on my own. Here are three questions about the three things you say I need to check.

1) I tried to look up how to review the maillog in Plesk and only found this extension that it seems you have to download: Mail-log are you saying I would have to download this to check the "maillog" you're referring to?
2) How would I check what domain names are included into the mail certificate in the Plesk server?
3) How would I check what domain names are included into the mail certificate on the domain (Mail SNI feature)? Can you explain what the Mail SNI feature is?

I'm including screen shots of my Gmail window setup (which I hope will help provide context for the first item on the list of things to check above). The issue after testing it this morning is that at least half of the emails that I send directly to another person come back with this message (I just keep sending the message until I don't get it bounced back) so it does work eventually - I just want it to work consistently!

Thanks for your help.



(I entered my password before I clicked "Save Changes". Again, after I set it up this way, emails still can be sent eventually but bounce back at least half of the time. Thanks!

 

[Ickov]

Hi Ruslan,
I don't have much experience with Plesk so could you help me a bit more to understand what you mean? I'm working with a Hosting service and want to see if I can address this on my own. Here are three questions about the three things you say I need to check.

1) I tried to look up how to review the maillog in Plesk and only found this extension that it seems you have to download: Mail-log are you saying I would have to download this to check the "maillog" you're referring to?
2) How would I check what domain names are included into the mail certificate in the Plesk server?
3) How would I check what domain names are included into the mail certificate on the domain (Mail SNI feature)? Can you explain what the Mail SNI feature is?

I'm including screen shots of my Gmail window setup (which I hope will help provide context for the first item on the list of things to check above). The issue after testing it this morning is that at least half of the emails that I send directly to another person come back with this message (I just keep sending the message until I don't get it bounced back) so it does work eventually - I just want it to work consistently!

Thanks for your help.
View attachment 16709
View attachment 16710
View attachment 16711
(I entered my password before I clicked "Save Changes". Again, after I set it up this way, emails still can be sent eventually but bounce back at least half of the time. Thanks!

Same situation here !

 

[Ickov]

Small help for you SeanCJMorris if you use port 25 mails will work normal, but that is not OK because port 25 is not secured port , please chose port 25 on gmail and you will not have problem for now

 

[wilmar]

Same problem, and the port 25 do not work for me. Any suggestion?

 

[Faris Raouf]

OK, this is really simple. I think some people are chasing a red herring.

The key is in the actual error message: "TLS Negotiation failed, the certificate doesn't match the host"

It is just the SSL/TLS certificate that's the problem.

In Onyx, and earlier, the email server (Postfix) can only have one SSL/TLS certificate.
You set this in Tools & Settings > SSL/TLS Certificates > Certificate for securing mail.

Previously, as long as the mailserver used ANY TLS/SSL certificate, Google was happy to use the "Secured using TLS" on port 587.
So typically, you or your customers would have used their own domain name in that box. mail.theirdomain.tld or just theirdomain.tld.
And there would normally be an SSL/TLS certificate for mail of one sort of another and all would be well.

But now Google has changed their policy, and the domain entered in the SMTP box has to match the TLS/SSL certificate used for mail.

So, for example, if mail uses a SSL/TLS certificate for myhostingcompany.tld then you and your customers have to enter myhostingcompany.tld in the SMTP box.

If you do so, all will be well again. We have a wildcard certificate that we use for this purpose, so we can cover mail.domain.tld or smtp.domain.tld or whatever we want. But you can equally just use a Lets Encrypt certificate quite happily.

All that matters is that you enter the domain that has the SSL certificate used by mail in the SMTP box.

Of course in Obsidian, each domain can have its own SSL/TLS certificate for email (YAY!). But you do need to make sure it is set up on each domain in the Email Settings for the domain.

 

[Ickov]

OK, this is really simple. I think some people are chasing a red herring.

The key is in the actual error message: "TLS Negotiation failed, the certificate doesn't match the host"

It is just the SSL/TLS certificate that's the problem.

In Onyx, and earlier, the email server (Postfix) can only have one SSL/TLS certificate.
You set this in Tools & Settings > SSL/TLS Certificates > Certificate for securing mail.

Previously, as long as the mailserver used ANY TLS/SSL certificate, Google was happy to use the "Secured using TLS" on port 587.
So typically, you or your customers would have used their own domain name in that box. mail.theirdomain.tld or just theirdomain.tld.
And there would normally be an SSL/TLS certificate for mail of one sort of another and all would be well.

But now Google has changed their policy, and the domain entered in the SMTP box has to match the TLS/SSL certificate used for mail.

So, for example, if mail uses a SSL/TLS certificate for myhostingcompany.tld then you and your customers have to enter myhostingcompany.tld in the SMTP box.

If you do so, all will be well again. We have a wildcard certificate that we use for this purpose, so we can cover mail.domain.tld or smtp.domain.tld or whatever we want. But you can equally just use a Lets Encrypt certificate quite happily.

All that matters is that you enter the domain that has the SSL certificate used by mail in the SMTP box.

Of course in Obsidian, each domain can have its own SSL/TLS certificate for email (YAY!). But you do need to make sure it is set up on each domain in the Email Settings for the domain.

Hi,

according you replay you like to say to thick marked section ? ( see attachment)

and everything will be ok ?

 

[Faris Raouf]

No. That tick box is for webmail (Roundcube or Horde on Plesk itself). It has no effect on the problem in question.

I can't tell for sure, but it looks like you are running Plesk Onyx, yes?

You need to go to Tools & Settings > SSL/TLS Certificates. On that page, there is a section that talks about SSL certificates currently in use by the server (see ssl-1.png)

The certificate you choose for mail must be valid (i.e. not expired) and must work for whatever server address you are going to specify for people enter enter as the SMTP server address.

For example, you already have one for Plesk itself, don't you? You can use the same one. And tell people to enter the same domain for email.

e.g. if you login to Plesk with https://plesk.example.tld:8443 and you have an SSL certificate (e.g. Lets Encrypt) for plesk.example.tld already set up, then you can use the same one for mail. You would then ask your customers to use plesk.example.tld as the SMTP address in GMail.

There are many other options open to you in terms of what address to choose (like a wildcard certificate - see bottom of email). All that matters is that the certificate you choose for mail is valid (i.e. correctly secures and is not expired) for whatever address you tell people to enter for the SMTP server address.

What is happening is simple:
Imagine you have a domain www.example.tld and you DO have a certificate for it, but the certificate is for www.some-other-domain.tld. If you connect using your web browser to this domain using https:// you will get an error. And the error will be that the certificate does not match the domain.

This same thing happens with Gmail. And you'll get the same error with Outlook or any other email program is you tell it to use TLS.

Note that the certificate issue also applies to IMAP (and pop3) if you tell the email client to use TLS. You will get an error if the certificate the mail server uses does not match the domain you enter in the email program. You can experiment in Outlook or Thunderbird or whatever. Put a tick in the TLS box and try connecting to the Plesk email server using various domains that point to it. You will always get an error unless you choose a domain that matches the SSL/TLS certificate you have selected for the mailserver to use.

For the moment, GMail is only enforcing TLS, and requiring a valid/matching certificate, for SMTP. I do not know why it is not enforcing it for POP3 collections. No doubt it will soon.

Wildcard certificates: Honestly, the easiest option is to buy a wildcard certificate, or to have Lets Encrypt generate a wildcard certificate, and use that. The wildcard certificate covers *.example.tld so you can tell people to use mail. smtp. pop3. or whatever you want, and as long as you have told Plesk to use the wildcard certificate for email, it will work fine.

 

[Ickov]

Hi Faris,

maybe i will answer stupid on your post but really i am confused about this situation, i put default certificate now on SSL/TLS section

please see attachment


is it ok now ?

 

[Faris Raouf]

The "Default Certificate" is a certificate generated by Plesk itself at Installation time. It is a "self-signed" certificate and Gmail and all other email programs will not accept it as being valid. You should not use it.

Instead, maybe you should select the Lets Encrypt Certificate that you have also selected for use by Plesk itself.
If this certificate covers, example.tld then when you use it for email, it will also cover example.tld but for email. You can then use example.tld as the address to put in the SMTP box in Gmail.

 

[Ickov]

I think work now, will see tomorrow how my customer will be and will let you know, thanks for help and for spend time for us

 

[Ruslan Kosolapov]

@Faris Raouf , your posts are amazing Nothing to add.

 

[Ickov]

@Faris Raouf all done, 2nd day and mails send/receive , thanks for helping mate , nice day ,

post can be closed

 

[Faris Raouf]

That's great news! I've done my good deed for the day and I can reward myself with some chocolate

 

[DiogoR]

Hi.

I'm having this problem on my server and the Certificate matches the hostname than I am (and my customers are) trying to use on google.

The error is "TLS Negotiation failed, the certificate doesn't match the host., code: 0 ".

I use a Let's Encrypt Certificate and this was working until recently, one of my customers said that he sent mails until some hours ago (that mails are in the maillog with connections from a google host) and suddenly it stopped working, but I already had feedback some days ago from another customer that was having problems with Gmail, I just didn't pay much attention because I hadn't enough details on the problem...

This command

openssl s_client -starttls smtp -showcerts -connect my_domain.com:587 -servername my_domain.com

returns (among other information)

Server certificate
subject=/CN=my_domain.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

Any more ideas?

Cheers.

 

[Faris Raouf]

Ooh!

What happens when you use -servername not_my_domain.tld ? Also is that certificate valid (i.e. not expired)?

If you use Outlook, it will show you the certificate it sees, if it is not valid for the domain that's been entered (for pop or smtp) or has expired. Might be worth trying, first to see if Outlook works with no error or not, and if not you can see which certificate is being presented and maybe you'll recognise it.

Keep in mind that your test method tests from the server to the server. Nothing in-between. If you use Outlook, you are connecting as a client would, and something different may happen! You never know. Of course it should be the same. But try it just the same. Or try it from a different server.

In the meantime, I'd re-assign the mail certificate in the SSL/TLS section in Tools & Settings (i.e. change it to something else, then back to the right one)
Also make sure that if you are using Obsidian, do the same for the SSL certificate for email for the specific domain itself.

 

[DiogoR]

Hi.

If I understood most of what you wrote correctly, I have a few things to clarify.
- the server where I executed the openssl command was not the same, it was executed on my local server.
- I personally don't use Outlook (suppose you are referring to the office APP and not to hotmail new service name Outlook), but in that matter have hundreds of customers that are using and if it wasn't working correctly I would already know.
- if I put -servername aaaa.com it doesn't seem to change the output.
- I use thunderbird as my favourite mail client and it complains if the server name does not match the certificate and I'm not getting any errors...
- I have not yet upgraded to Obsidian.

I changed to an old certificate I got still installed and the result was this (among all the certificate info) "verify error:num=10:certificate has expired" and google gave the same error. Changed back to the Let's Encrypt one and Google keeps complaining.

Cheers.