Gmail LS Negotiation failed

twintone

Member
Dec 7, 2017
5
0
1
US
cPanel Access Level
Root Administrator
Is there anyone who can confirm this change to port 587 has worked for them? We have a bunch of clients with this issue, but of course they aren't very savvy.. I don't currently have a test account to test with. If someone can confirm I can let clients know what to change.
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
Nope, it was an effort to see if it worked. My account is able to use Gmail without issue so It's not affecting everyone, but from what I was seeing in the google thread here: Problem: "TLS Negotiation failed, the certificate doesn't match the host." - Gmail Community it looked like the key was in the server name being used. If the name doesn't exist or if it is associated with the hostname which uses a different certificate this is going to fail, if you're using a self signed certificate this will fail. If the Server name i.e., mail.domain.tld is not covered under the SSL this will fail. This is a result of stricter security in place for google. This is not something that cPanel has any control over.



It's best explained here: https://support.google.com/mail/thread/38336515?msgid=39890656
 

PDW

Well-Known Member
Dec 29, 2003
138
3
168
Hey guys so just updating on this thread, should be my final. So I got this resolved and it was my ASSP Spam filters that was causing the issue. I use GRscripts ASSP Deluxe and he helped me nail it down. I have been using it for a while now and I had a version 1.9.9 of ASSP (even though his interface showed updated it wasn't) there was version 2.6..... so I had to do a big update on ASSP and after following all of his steps I was back to working just fine and figured it all out. So maybe with others check to see what the mailscanner, ASSP etc... is using for the SSL Cert and working with SNI
 
  • Like
Reactions: cPanelLauren

WagnerCoelho33

Registered
Apr 16, 2020
4
1
1
Brazil
cPanel Access Level
Website Owner
Nope, it was an effort to see if it worked. My account is able to use Gmail without issue so It's not affecting everyone, but from what I was seeing in the google thread here: Problem: "TLS Negotiation failed, the certificate doesn't match the host." - Gmail Community it looked like the key was in the server name being used. If the name doesn't exist or if it is associated with the hostname which uses a different certificate this is going to fail, if you're using a self signed certificate this will fail. If the Server name i.e., mail.domain.tld is not covered under the SSL this will fail. This is a result of stricter security in place for google. This is not something that cPanel has any control over.



It's best explained here: https://support.google.com/mail/thread/38336515?msgid=39890656
Hello cPanelLauren, any real solution to the problem? So far the problem seems unsolved!
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
Hello,


While I appreciate that @WagnerCoelho33 the solution provided there is not a real solution. The problem is not on GoDaddy's end, this is a result of a change that Gmail made to strengthen their security. The solution from what I see right now is to ensure that there is no certificate mismatch on any of the properties associated with the hostname or MX record. You should not use the hostname as the SMTP server this incorrectly bypasses the domain-specific certificate if one exists. Furthermore, many using this found that they had the hostname in prior and it no longer works.
 

WagnerCoelho33

Registered
Apr 16, 2020
4
1
1
Brazil
cPanel Access Level
Website Owner
Hello,


While I appreciate that @WagnerCoelho33 the solution provided there is not a real solution. The problem is not on GoDaddy's end, this is a result of a change that Gmail made to strengthen their security. The solution from what I see right now is to ensure that there is no certificate mismatch on any of the properties associated with the hostname or MX record. You should not use the hostname as the SMTP server this incorrectly bypasses the domain-specific certificate if one exists. Furthermore, many using this found that they had the hostname in prior and it no longer works.
Okay, I removed the responsibility for the problem from my post! Enjoy my provisional solution!
 

jmvcolorado

Registered
Apr 20, 2020
1
0
0
Colorado
cPanel Access Level
Root Administrator
@PDW I'm wondering if you'd be willing to share what settings you used in Gmail to get this working with ASSP. I've got a client (domain2.com) on my server (primary account is domain1.com) that uses Gmail for all of their email accounts on my server.

ASSP is setup on my hostname (admin.domain1.com). The client has been using admin.domain1.com as their server setting for Gmail SMTP for years without issue. But now I'm second guessing if they should be continuing to use this, or switch this what cPanel says they should be using, which is mail.domain2.com.

FWIW, neither of these, nor trying ports 465 and 587 are working for them. I did just enable SNI for ASSP, but I'm not sure if this will help
 

paul.81property

Registered
Feb 2, 2020
1
0
1
valenzuela City
cPanel Access Level
Root Administrator
i have the same issue,
i just use the ff:

SMTP Server: Copy the shared server host name from the cPanel URL. Host name is between https:// and :2083/ so in this example case the correct host name would be n3plcpnl0082.prod.ams3.secureserver.net (don't use the mail.(domain).com)
1587400810689.png
1587400837212.png
Port: 587
Username: [email protected]
Password: user password

Secured connection using TLS (recommended).

hope it will work on you guys
 

gabrielmotta

Registered
Apr 22, 2020
1
0
1
Brasil
cPanel Access Level
Root Administrator
I had the same problem and last week I configured like WagnerCoelho33 has been mentioned and everything are working.
The main domain your server must be https and you only put this domain into SMTP SERVER box in Gmail, select port 465, SSL, username, pass and save.
The Gmail will send a email with confirm code.
 

bigworm50

Registered
Jun 12, 2020
1
0
1
USA
cPanel Access Level
Reseller Owner
@jmvcolorado I also use assp

The dev for the cpanel plugin said this

it's a known issue, it happens because gmail wants an immediate reply from server so if you have all ASSP workers temporarly
busy gmail auth will refuse the request.

Solution : increase number of ASSP workers 2 or 3 steps and try again

Solution : this solution will work in any situation , set port 465 SSL as an EXIM only port using this how to

http://www.grscripts.com/howtofaq.html#skip_assp_ports and connect using port 465 SSL
Increasing the workers had no effect. Setting port 465 as an EXIM only port is not a desirable solution as that bypasses ASSP.

I have investigated the issue as well as had support at my colo investigate. My certificates, hostnames, reverse dns, etc. are all correct. I believe this is a Google problem and only they can fix it.


@PDW I'm wondering if you'd be willing to share what settings you used in Gmail to get this working with ASSP. I've got a client (domain2.com) on my server (primary account is domain1.com) that uses Gmail for all of their email accounts on my server.

ASSP is setup on my hostname (admin.domain1.com). The client has been using admin.domain1.com as their server setting for Gmail SMTP for years without issue. But now I'm second guessing if they should be continuing to use this, or switch this what cPanel says they should be using, which is mail.domain2.com.

FWIW, neither of these, nor trying ports 465 and 587 are working for them. I did just enable SNI for ASSP, but I'm not sure if this will help
 

PDW

Well-Known Member
Dec 29, 2003
138
3
168
I have been having no issues once I upgraded to ASSP V2 and set the certificate in ASSP to use the Cpanel SSL Cert and then also set SNI up for the domains. It was a very long and tedious process but it worked. Very frustrating for sure
 
  • Like
Reactions: cPanelLauren