Gmail LS Negotiation failed

PDW

Well-Known Member
Dec 29, 2003
138
3
168
I have been having issues with Gmail and sending mail as over the last few days. When sending email as (from my domain domain.org) I get a return email stating "TLS Negotiation failed, the certificate doesn't match the host. " Now I have been sending mail as through Gmail with multiple accounts for a very long time.
So I go into accounts and import and any of my accounts adding, or updating passwords I get an error saying Server returned error: "TLS Negotiation failed, the certificate doesn't match the host., code: 0"

So here is what I have tried as settings - I typically have used the domain name as the smtp host - domain.org or mail.domain.org I have also tried the host.com and get the same message. I have used both SSL and TSL ports 465 for SSL and 587 TLS.

So with troubleshooting, I added these accounts to outlook (the app) and Bitdefender through up an error as well saying "OUTLOOK.EXE attempted to establish a connection relying on an unmatching security certificate to domain.org. We blocked the connection to keep your data safe since the used certificate was issued for a different web address than the targeted one" and I went ahead and added the exception and outlook did give me "
The server you are connected to is using a security certificate that cannot be verified. The target principal name is incorrect. I believe that was using the domain name. Now in outlook if I use the hostname I get 0 error. But if I do that in Gmail I get error.

Any thoughts? My data center is out of ideas as well.
 
  • Like
Reactions: JP039167

PDW

Well-Known Member
Dec 29, 2003
138
3
168
Going to add to this and this is very very strange. If I go into a Gmail account I have that doesn't get used much at all and add these to it as send mail as using TLS port 567 I have 0 issues getting it to go through. Maybe this is just a Google issue?
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,719
289
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Yes Gmail recently implemented this and we've seen a number of clients running into it.

I'm not clear if Gmail is not supporting sni certificates for mail service but we've resolved this by using the server's hostname as the incoming and outgoing mail servers. This assumes you have a valid resolving hostname.
 

PDW

Well-Known Member
Dec 29, 2003
138
3
168
Ya I have even had the data center double-check my hostname resolver and all. I can get the email to work if I go unsecured port 25 though :(
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
The target principal name is incorrect. I believe that was using the domain name. Now in outlook if I use the hostname I get 0 error. But if I do that in Gmail I get error.
This lends to the theory that @GOT had that the site doesn't have a valid certificate. When this occurs the certificate for the hostname is used instead.
 

PDW

Well-Known Member
Dec 29, 2003
138
3
168
Certificates validate and return back just like they are supposed to. everything directs like it has for the past 10 years. been running servers for past 30 years and ya this has me stumped. I am just thinking its something google is doing considering I can go to one of my less-used Gmail accounts and it works fine for those same domain names and email addresses with 0 errors.
 

sosa237

Registered
Apr 10, 2020
3
0
1
United Kingdom
cPanel Access Level
Website Owner
I have been having issues with Gmail and sending mail as over the last few days. When sending email as (from my domain domain.org) I get a return email stating "TLS Negotiation failed, the certificate doesn't match the host. " Now I have been sending mail as through Gmail with multiple accounts for a very long time.
So I go into accounts and import and any of my accounts adding, or updating passwords I get an error saying Server returned error: "TLS Negotiation failed, the certificate doesn't match the host., code: 0"

So here is what I have tried as settings - I typically have used the domain name as the smtp host - domain.org or mail.domain.org I have also tried the host.com and get the same message. I have used both SSL and TSL ports 465 for SSL and 587 TLS.

So with troubleshooting, I added these accounts to outlook (the app) and Bitdefender through up an error as well saying "OUTLOOK.EXE attempted to establish a connection relying on an unmatching security certificate to domain.org. We blocked the connection to keep your data safe since the used certificate was issued for a different web address than the targeted one" and I went ahead and added the exception and outlook did give me "
The server you are connected to is using a security certificate that cannot be verified. The target principal name is incorrect. I believe that was using the domain name. Now in outlook if I use the hostname I get 0 error. But if I do that in Gmail I get error.

Any thoughts? My data center is out of ideas as well.

hello i also face this same difficulty, i have been trying to send a mail from my gmail using my website webmail which i linked since a month ago its not working, this issue is quite new. PLEASE could any one help me out on this!!!!!!!!!!!!!!!!!!
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
Now I'm checking my own account in Gmail that I have set up. Incoming set as always use a secure connection and port 995 then when I check "Send mail as"
Mail is sent through: mail.mydomain.tld
Secured connection on port 587 using TLS
Send mail as those accounts and I see them going through without issue. I am confirming the TLS connection in /var/log/exim_mainlog as well, they're using:
Code:
X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128
Because Bitdefender also gives a similar error it's doubtful it's just Gmail's issue. Can you PM me the domain name experiencing the issue?
 

sosa237

Registered
Apr 10, 2020
3
0
1
United Kingdom
cPanel Access Level
Website Owner
Certificates validate and return back just like they are supposed to. everything directs like it has for the past 10 years. been running servers for past 30 years and ya this has me stumped. I am just thinking its something google is doing considering I can go to one of my less-used Gmail accounts and it works fine for those same domain names and email addresses with 0 errors.
How did you do that work please, I really need to solve this issue
 

sosa237

Registered
Apr 10, 2020
3
0
1
United Kingdom
cPanel Access Level
Website Owner
Now I'm checking my own account in Gmail that I have set up. Incoming set as always use a secure connection and port 995 then when I check "Send mail as"

Send mail as those accounts and I see them going through without issue. I am confirming the TLS connection in /var/log/exim_mainlog as well, they're using:
Code:
X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128
Because Bitdefender also gives a similar error it's doubtful it's just Gmail's issue. Can you PM me the domain name experiencing the issue?
Hey please, could you help me by any chance work this out??
 

SizzlingPopcorn

Registered
Apr 11, 2020
1
0
0
Canada
cPanel Access Level
Website Owner
I'm having the same issue. I was able to send emails earlier this week, but it stopped working as of Wednesday.

I've been in support chats with GoDaddy and they keep changing things up (worst CX) without telling me and then the next person changes them again. I've tried all ports and mail.domain.ca vs domain.ca.

I just tried setting up a new email to see if it was a one-off, but the same issue exists with the test email address.
 

lorizb

Registered
Apr 14, 2020
1
0
1
South Florida
cPanel Access Level
Website Owner

PDW

Well-Known Member
Dec 29, 2003
138
3
168
Right now it appears that my problem is attached to running ASSP. I have ASSP Deluxe through the GRscripts ASSP Deluxe interface. Disabling ASSP Deluxe entirely got me back up and running. I am emailing back and forth with the developer troubleshooting now. So maybe others are running additional protection scripts causing the mismatch issue. Ill update this when I get this fixed entirely. But so far, my issue is with ASSP Deluxe and disabling it entirely worked.
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
Thanks for the note on ASSP @PDW could be that folks running MailScanner as well are having an issue, though unsure. Also, thank you @lorizb for sharing the Gmail thread I looked for one initially but was unable to find one.

A lot of folks in that thread are changing their SMTP server setting. So I'd like to ask all of you experiencing this issue to do the following:

- Determine what your SMTP server setting should be. This can be found in cPanel>>Email>>Email Accounts>>Connect Device
- Typically this is mail.yourdomain.tld
- Go to Gmail>>Setting>>Accounts and Import -> Send Mail As -> Edit Info (next to the account you're modifying)
- Ensure the settings on the first screen are correct (most likely you won't need to change those)
- Click Next Step
- On this page you'll do the following:

SMTP Server: mail.yourdomain.tld (or whatever you found)
Port: 587
Username: [email protected]
Password: your email password
Select Secured connection using TLS

And let me know if this works
 

KD-digital

Registered
Apr 14, 2020
2
0
1
Uruguay
cPanel Access Level
Website Owner
Hello everyone!
I did the test verifying the SMTP as @cPanelLauren recommends and it was not solved.

Be something in the settings in my DNS? It works for some and not for me so I want to discard all the options.

I appreciate your help
KD
 

sgpascoe

Registered
Apr 15, 2020
2
0
1
England, United Kingdom
cPanel Access Level
Website Owner
@cPanelLauren

My cpanel host is companyname.com:2082.

These are the instructions given to me by cpanel's 'connect devices' section:
1586952906216.png

I then enter these into Gmail using SSL:

1586953012999.png

"TLS Negotiation failed, the certificate doesn't match the host. , code: 0"

And then when using TLS, it takes a long time and appears to timeout:

1586953123451.png

We're following the instructions, but it just doesn't work. Hopefully you can see even with blurring, the addresses are the same in the boxes.


What do we do?