I have set up an email server using docker-mailserver.
DKIM, SPF, and DMARC are configured fine.
SSL was set up using Let's Encrypt. Server has TLS and STARTTLS enabled.
I ran a TLS/SSL test on https://www.checktls.com/TestReceiver , and it said that my SSL works fine:
I am able to use Mozilla Thunderbird to receive and send email via the server:
However, when logging in to Thunderbird to receive email via IMAP, or when sending via SMTP, I see this warning (I am still able to send and receive email if I click on the "Confirm Security Exception" button.)
I checked a couple of other email TLS/SSL testing sites (1 and 2) and they seem to think my certs are not set up correctly ("The certificate doesn't match hostname").
Thoughts?
Update: I've managed to reach the point where imap.domainname.com is recognized by Thunderbird to have a valid certificate, but not imap.domainname.com:143. What would be a fix for this please?
The error message says exactly what your screenshots show: hostname in certificate does not match. You check your certificate with mail.yourdomain.com, and it says valid, so you created your certificate exactly for this hostname. You configure thunderbird to use imap.yourdomain.com.
Unless you configured your certificates to contain subject alternative names and include "imap.yourdomain.com" the error message is absolutely correct.
By default every certificate includes exactly one hostname, and that has to match.
Another possibility would be to purchase a wildcard certificate *.yourdomain.com. Wildcard certificates are usually more expensive while normal certificates with subject alternative names can even be free when using „lets encrypt“ and renew them every 90 days.
This is mismatch between the
mail.example.comin the certificate andimap.example.comandsmtp.example.comin the client configuration. You could eitherAutoconfigure using DNS
SRVrecordsStardardized way (RFC 6186) for locating email submission & access servers would be using DNS
SRVrecords. With this you could specify that both IMAP and SMTP submission are served frommail.example.com.Thunderbird's Autoconfiguration
Unfortunately, Thunderbird doesn't currently support
SRVrecords (and, according to the conversation on Bug 342242, isn't likely to implement it). However, it has another implementation for Autoconfiguration: you can serve an XML configuration file fromhttp://autoconfig.example.com/mail/[email protected]with e.g.If Thunderbird doesn't found such configuration file from that location, it defaults to using addreses
imap.example.comandsmtp.example.comunless you choose manual configuration.Adding those addresses to your certificate
Alternatively, you could add those addresses to your certificate. Torsten already mentions this possibility, but suggest it would only be possible using paid wildcard certificates. That's not exactly true, as:
Let´s Encrypt ACMEv2 supports wildcards, although configuring it requires some experience.
It's not necessary to have a wildcard certificate to cover these three hostname as subject alternative names (SAN). It's possible to expand the existing certificate using Certbot, e.g.
In my case, the problems begun after an update to Thunderbird 78.5. I've solved the problems (in a limited way) after following the instructions in
https://stackoverflow.com/questions/63947262/thunderbird-78-how-to-add-security-exception
You'll have to add the ports values (separated with commas, if you have several ports) in about:config in Thunderbird to the keyword
The solution wasn't perfect: I have to desactivate the email shield in Avast to be able to send or receive email.