• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved TLS/SNI issue receiving emails from google

gregconway

Basic Pleskian
Hello everybody!

I have an issue with one Plesk server (CentOS 8.3.2011 / Plesk Obsidian, both fully updated) where I cannot receive emails from google addresses.

This is happening for all Domains on the server. Some have LE certs, some have real certs.

If I move my test Domain to another Plesk server (configured by the same script) then this domain can receive emails from google without issues. In fact all the emails I sent previously then arrive, so the emails are being deferred not rejected.

Here's the mail log for one of the emails that was rejected:

Dec 10 20:51:37 prey postfix/smtpd[6477]: connect from mail-lj1-f180.google.com[209.85.208.180]
Dec 10 20:51:38 prey postfix/smtpd[6477]: warning: TLS library problem: error:0908F066: PEM routines:get_header_and_data:bad end line:crypto/pem/pem_lib.c:852:
Dec 10 20:51:38 prey postfix/smtpd[6477]: warning: error loading private keys and certificates from: SNI data for mail.domain.com: aborting TLS handshake
Dec 10 20:51:38 prey postfix/smtpd[6477]: SSL_accept error from mail-lj1-f180.google.com[209.85.208.180]: -1
Dec 10 20:51:38 prey postfix/smtpd[6477]: warning: TLS library problem: error:1422E0EA:SSL routines:final_server_name:callback failed:ssl/statem/extensions.c:1006:
Dec 10 20:51:38 prey postfix/smtpd[6477]: lost connection after STARTTLS from mail-lj1-f180.google.com[209.85.208.180]
Dec 10 20:51:38 prey postfix/smtpd[6477]: disconnect from mail-lj1-f180.google.com[209.85.208.180] ehlo=1 starttls=0/1 commands=1/2

My googling suggests there is something wrong with the certificate but I've regenerated the paid (Sectigo) cert with no effect, and as I said I cannot email any Domain on the server from a google address.

Does anybody have any ideas what is happening here? And how I might fix it?! :)

Thanks!
 
Just a thought:
"bad end line:crypto/pem" could that the
-----END CERTIFICATE-----
is missing or slightly different from that spelling (e.g. a dash missing). However, this could also be in another part of the certificate set, e.g. the private key. Have you manually edited some of this?
 
And have you checked that the ending of one is not immediately followed by the beginning of the next like
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
which should correctly be
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
?
 
Hi Peter,
Thanks for the suggestion.
I'd found the same articles and had trawled through many .pem files looking for ---- instead of -----, but I never found it.
In the end I found I hadn't secured various website mail servers sites with the LE SSL certs, which I found because I had very few sni entries in /etc/dovecot/conf.d.
I also had to bin my paid-for wildcard cert in favour of an LE cert to secure the main server.
Strangely this was the same on an identical server but it wasn't causing any issues over there.
Anyway - all resolved.
Thanks for answering! :)
 
Back
Top