Community

Using Gmail with Axigen

Hi All,

Good day!
I’m using axigen-10.3.1-1.x86_64 on CentOS 7.7
I’m trying to configure Gmail to use my Axigen account for sending out some emails.
In Axigen, I created a LetsEncrypt SSL cert and I have configured the SSL settings for the SMTP Receiving service to use the new SSL cert.

Now when I try to configure Gmail to use my Axigen server, it shows this error message:
“TLS Negotiation failed, the certificate doesn’t match the host., code: 0”

I’ve already tried to:
. tick all the options in the “Allow the following SSL versions” under SSL SETTINGS.
. use SSL with port 465
. use TLS with port 465
. use SSL with port 587
. use TLS with port 587

I already checked that:
. the server’s hostname matches the name of the SSL cert
. the user’s domain matches the domain of the hostname and the SSL cert

And this is what I see in the Axigen logs:

==========
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: << SSL: client hello, remote 209.85.221.47:38262, version TLS 1.3 (0304)
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: << SSL: client hello, remote 209.85.221.47:38262, session id 6cbef0f6e189223b39bb323ae82c205f845e5114e8838b50366aa93445965f33
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: << SSL: client hello, remote 209.85.221.47:38262, 19 cipher suites: aaaa130113021303c02bc02fcca9cca8c02cc030c009c013c00ac014009c009d002f0035000a
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: << SSL: client hello, remote 209.85.221.47:38262, sni extension for mail.this_is_the_domain.com
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: >> SSL: server hello, remote 209.85.221.47:38262, version TLS 1.3 (0304)
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: >> SSL: server hello, remote 209.85.221.47:38262, session id 6cbef0f6e189223b39bb323ae82c205f845e5114e8838b50366aa93445965f33
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: >> SSL: server hello, remote 209.85.221.47:38262, cipher suite 1302
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: >> SSL: server write cert, remote 209.85.221.47:38262, version TLS 1.3 (0304)
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: previous line is repeated 1 time.
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00000000: >> SSL: server write cert, remote 209.85.221.47:38262, certificate 1: serial 0361E59EF4DC54B28108F2AF2DE905C85057
2020-07-26 18:35:56 +0800 08 mail SMTP-IN:00211FE7: [a.b.c.d:465] connection accepted from [209.85.221.47:38262]
2020-07-26 18:35:56 +0800 16 mail SMTP-IN:00211FE7: >> 220 mail.this_is_the_domain.com Axigen ESMTP ready
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: << EHLO mail-wr1-f47.google.com
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: Greylist disabled
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: Set max data size to 30720 KB
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: Set max received headers to 30
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: Maximum recipient count set to 1000
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: Wait for processing response at least 10 seconds
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: STARTTLS extension allowed
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: 8BIT MIME accepted
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: BINARY DATA extension allowed
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: PIPELINING extension allowed
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: DSN extension denied
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: Set local delivery to all
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: Set remote delivery to auth
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-mail.this_is_the_domain.com Axigen ESMTP hello
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-PIPELINING
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-8BITMIME
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-BINARYMIME
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-CHUNKING
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-SIZE 31457280
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250-HELP
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 250 OK
2020-07-26 18:35:57 +0800 16 mail SMTP-IN:00211FE7: >> 421 mail.this_is_the_domain.com error reading data
2020-07-26 18:35:57 +0800 08 mail SMTP-IN:00211FE7: closing session from [209.85.221.47]
2020-07-26 18:36:00 +0800 02 mail SERVER:00000000: previous line is repeated 1 time.
2020-07-26 18:36:00 +0800 02 mail SERVER:00000000: SSL_accept error (Success)
==========

Any suggestions would be greatly appreciated.
Thank you very much.

Did you configured ssl configuration in listeners with below cypher suite?
https://www.axigen.com/documentation/a-grade-ssl-listeners-p3277035

1 Like

Hi Mohammad,

Thank you very much for the suggestion.
I have just tried out the settings from that doc.
However I’m still getting the same error.

Hello,

Because the error is mentioning that the certificate doesn’t match the host this should point somehow that the certificate served by your Axigen server does not match for the hostname used for the secured connection.

Let’s say that you have obtained the certificate for mail.my-special-domain.tld and you have installed it in Axigen on a listener using 0.0.0.0:465.

Now, you should be able to double check the certificate using an online tool like:

Note: you should specify the server name like mail.my-special-domain.tld:465 otherwise it will check the certificate from the default port (which is the one for HTTPS = 443)

or you may also check it by yourself using openssl like:

$ openssl s_client -connect mail.my-special-domain.tld:465 -crlf
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail.my-special-domain.tld
verify return:1
---
Certificate chain
 0 s:/CN=mini.axigen.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
...
---
220 mail.my-special-domain.tld Axigen ESMTP ready
quit
221-mail.my-special-domain.tld ESMTP is closing connection
221 Good bye

HTH,
Ioan

1 Like

Hi loan,

Thank you very much for the help.
Here is what I got using that openssl command:

$ openssl s_client -connect mail.this_is_the_domain.com:465 -crlf
CONNECTED(00000003)
depth=0 CN = mail.this_is_the_domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = mail.this_is_the_domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=mail.this_is_the_domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---

...

It said “unable to get local issuer certificate”, so I went to the SSL settings of the SMTP Receiving Listener on port 465 and I entered this for the “Certificate authorities file” textbox:

letsencrypt/mail.this_is_the_domain.com/cert_auth.pem

After that, this is what I got with openssl:

$ openssl s_client -connect mail.this_is_the_domain.com:465 -crlf 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail.this_is_the_domain.com
verify return:1
---
Certificate chain
 0 s:/CN=mail.this_is_the_domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

...

Then I tried it again with Gmail, and it’s working now!
Thank you very much!

Hello,

Glad to know that you find the problem and correct it.

BR,
Ioan