imap from gmail

ceichelberger · October 21, 2025, 3:05pm

Getting the following error while trying to do a migration from gmail to axigen. I have tried a let’s encrypt and a Setigo. No luck. Any help appreicated.

Search A for ‘imap.gmail.com’ (EDNS is on)
2025-09-30 15:56:35 +0000 08 mail DNR:00000009: Sending query (1/1) to 1.1.1.1:53
2025-09-30 15:56:35 +0000 08 mail DNR:00000009: ‘imap.gmail.com’ found A ‘142.250.138.108’
2025-09-30 15:56:35 +0000 08 mail DNR:00000009: ‘imap.gmail.com’ found A ‘142.250.138.109’
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: >> SSL: client hello, remote 142.250.138.109:993, session id 203626cebe93485b30723f3ecec50060ec41f5d7a68361a8c4f73bf428cdce2e
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: >> SSL: client hello, remote 142.250.138.109:993, 31 cipher suites: 130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: >> SSL: client hello, remote 142.250.138.109:993, supported version TLS 1.3 (0304) TLS 1.2 (0303) TLS 1.1 (0302) TLS 1.0 (0301)
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: << SSL: server hello, remote 142.250.138.109:993, version TLS 1.3 (0304)
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: << SSL: server hello, remote 142.250.138.109:993, session id 203626cebe93485b30723f3ecec50060ec41f5d7a68361a8c4f73bf428cdce2e
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: << SSL: server hello, remote 142.250.138.109:993, cipher suite 1302
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: << SSL: server hello, remote 142.250.138.109:993, version TLS 1.2 (0303)
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: << SSL: server hello, remote 142.250.138.109:993, version TLS 1.2 (0303)
2025-09-30 15:56:35 +0000 16 mail MIGRATION:00000000: << SSL: server hello, remote 142.250.138.109:993, version TLS 1.3 (0304)
2025-09-30 15:56:35 +0000 02 mail MIGRATION:00000000: SSL alert remote 142.250.138.109:993, undefined:fatal:unknown CA
2025-09-30 15:56:35 +0000 02 mail MIGRATION:00000000: SSL error remote 142.250.138.109:993, SSL_connect:failed in error
2025-09-30 15:56:35 +0000 02 mail MIGRATION:00000000: 142.250.138.109:993 SSL_connect error: error:0A000086:SSL routines::certificate verify failed

indreias · October 21, 2025, 3:50pm

Hello Charles,

Yes, this is the expected result as Gmail is providing a self signed certificate if its endpoints are accessed by IP (which is Axigen case) and not by name (so you do not provide the so-called SNI information when the SSL handshake occurs).

If you are using Linux please add the following line in your /etc/default/axigen (DEB system) or /etc/sysconfig/axigen (RPM system) file (preferable at the end of it):

export AXI_MIGRATION_OPT_X_TLS_IGNORE_CERT=1

and restart the axigen service.

In such way the self signed certificate provided by servers used for migration purposes will be no more rejected.

HTH,
Ioan

PS: If you really like to double-check please compare the results of the following 2 openssl commands:

$ openssl s_client -connect ``imap.gmail.com:993`` -crlf

Here you will get a certificate like:

subject=CN = imap.gmail.com
issuer=C = US, O = Google Trust Services, CN = WR2

$ openssl s_client -connect 64.233.167.109:993 -crlf

Here you will get a certificate like:

subject=OU = "No SNI provided; please fix your client.", CN = invalid2.invalid
issuer=OU = "No SNI provided; please fix your client.", CN = invalid2.invalid