The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL verify error: certificate name mismatch

Discussion in 'E-mail Discussions' started by Legendary, Dec 9, 2015.

  1. Legendary

    Legendary Member

    Joined:
    Aug 13, 2015
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Hello,

    I have a couple of cPanel servers and today I noticed an SSL issue when sending/receiving emails.

    Log from the sending server:

    Code:
    2015-12-09 15:53:35 000000-000000-00 H=(sender.com) [127.0.0.1]:38655 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (1.0)"
    2015-12-09 15:53:35 000000-000000-00 <= user@sender.com H=(sender.com) [127.0.0.1]:38655 P=esmtpa A=dovecot_login:user@sender.com S=664 id=1690a688b06532d619d47043c79f3b91@sender.com T="Test" for user@recipient.com
    2015-12-09 15:53:35 000000-000000-00 SMTP connection outbound 1449694415 000000-000000-00 sender.com user@recipient.com
    2015-12-09 15:53:55 000000-000000-00 [xxx.xxx.xxx.xxx] SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server.otherserver.com"
    2015-12-09 15:54:21 000000-000000-00 => user@recipient.com R=dkim_lookuphost T=dkim_remote_smtp H=recipient.com [xxx.xxx.xxx.xxx] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 OK id=AAAAAA-AAAAAA-AA"
    2015-12-09 15:54:21 000000-000000-00 Completed
    Take note of the following:

    Code:
    SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server.otherserver.com"
    Code:
    H=recipient.com


    Emails are being sent and received without any problems, but shouldn't the certificate be the domain's, not the server's? Both the server and the domain have valid non-self-signed SSL certs. Would appreciate assistance with this. Thanks!
     
    #1 Legendary, Dec 9, 2015
    Last edited: Dec 10, 2015
  2. Legendary

    Legendary Member

    Joined:
    Aug 13, 2015
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Update: changing the recipient's MX entry from the default recipient.com to server.otherserver.com seems to solve this problem. However now I'm not sure what Mail SNI's purpose is. Isn't it supposed to cater to this very problem (i.e., certificate mismatches and ensuring the correct SSL cert is used for their corresponding domains)?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You will notice this with Exim 4.86 based on the following changes:

    Code:
    JH/04 Certificate name checking on server certificates, when exim is a client,
      is now done by default.  The transport option tls_verify_cert_hostnames
      can be used to disable this per-host.  The build option
      EXPERIMENTAL_CERTNAMES is withdrawn.
    
    JH/06 Verification of the server certificate for a TLS connection is now tried
      (but not required) by default.  The verification status is now logged by
      default, for both outbound TLS and client-certificate supplying inbound
      TLS connections
    What hostname is the user entering for outbound email in their email client?

    Thank you.
     
  4. Legendary

    Legendary Member

    Joined:
    Aug 13, 2015
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    US
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    Thanks for responding.

    I'm not sure if the sender's outbound mail server settings matter in this case as the error is logged by the sending server, meaning the issue is with the recipient server's mail SSL setup.

    1. Send mail from user@example1.com (on server some.hostname1.com) to user@example2.com (on server some.hostname2.com)
    2. Email is received by the server some.hostname2.com and is delivered to user@example2.com
    3. All seems fine but an error is logged in some.hostname1.com's /var/log/exim_mainlog:
    Code:
    SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=some.hostname2.com"
    As mentioned above, a workaround to this issue is by changing cPanel's default MX entry for the recipient (in this case, example2.com) to the server's hostname. Then again what is the whole point of having mail SNI if we're required to do this?

    This isn't an urgent issue as emails are being sent and received - I just happened to come across this issue and figured I'd ask if this behavior is 100% intentional or if it's a bug. Hope this makes sense and thanks for your time!
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The "Mail SNI" functionality is designed to prevent certificate mismatch warnings in the user's email client. The notification in /var/log/exim_mainlog is separate and related to the changes in Exim 4.86 referenced in my earlier response. Note that while you see the warning messages in /var/log/exim_mainlog, it should not result in any issues with mail delivery by default.

    Thank you.
     
Loading...

Share This Page