We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Outgoing SSL error, GMail emails get rejected
-
- Posts: 25
- Joined: Wed Sep 09, 2015 7:19 pm
Outgoing SSL error, GMail emails get rejected
I recently did some server tinkering after a bit of trouble with an expired SSL certifcate.
I didn't know what I was doing and made a bit of a mess frankly, unfortunately this was some months ago and I don't remember exactly what I did. I was careful not to manually edit any files outside of my webserver... but who knows.
More recently I upgraded VestaCP and enabled the inbuilt LetsEncrypt auto-renewal.
Yesterday, I tried sending an email for the first time from the associated account, and I got the following message in Thunderbird:
Sending of the message failed. The message could not be sent because the connection to Outgoing server (SMTP) mail.domain.com timed out. Try again.
If I use plain authentication I can send emails.
Also, more worryingly I noticed if i tried sending emails to it from my gmail account, they all come back with a Delivery status notification email, saying '454 TLS currently unavailable'
Here's my exim4 mainlog from today:
https://gist.github.com/hedgehog90/14b4 ... 058ab3a44d
I noticed when I tried to send an email from my gmail account:
2017-02-16 07:49:05 TLS error on connection from mail-wr0-f195.google.com [209.85.128.195] (cert/key setup: cert=/usr/local/vesta/ssl/certificate.crt key=/usr/local/vesta/ssl/certificate.key): Error while reading file.
and when I tried to send an email from the account in question:
2017-02-16 08:00:03 no host name found for IP address 81.174.188.154
2017-02-16 08:00:03 TLS error on connection from [81.174.188.154] (cert/key setup: cert=/usr/local/vesta/ssl/certificate.crt key=/usr/local/vesta/ssl/certificate.key): Error while reading file.
So I checked and found the likely problem. I had replaced the crt and key files with symlinks pointing to /usr/local/vesta/data/users/[username]/ssl/[domain.com].crt and key respectively, but they are owned as root:root and have 0777 permissions
Can I keep them as symlinks for the sake of convenience? If not why? What should the owner/permissions be set to?
Also here's some recent DNS/MX checks reporting errors with the DKIM and the hostname, is this related? Eitherway I'd like to fix these too:
https://toolbox.googleapps.com/apps/che ... tudios.com
https://mxtoolbox.com/domain/gpstudios.com/
EDIT:
So I easily fixed part of the problem by replacing the symlinks with copys of the pem and crt in my /usr/local/vesta/data/users/[username]/ssl folder, however there's still problems with gmail.
Now I get a 'mail delivery failed' in my site's inbox when I try and send an email to a gmail account!:
It flags the SOA TTL because it's set to 3600 (isn't it always?)
Also:
I didn't know what I was doing and made a bit of a mess frankly, unfortunately this was some months ago and I don't remember exactly what I did. I was careful not to manually edit any files outside of my webserver... but who knows.
More recently I upgraded VestaCP and enabled the inbuilt LetsEncrypt auto-renewal.
Yesterday, I tried sending an email for the first time from the associated account, and I got the following message in Thunderbird:
Sending of the message failed. The message could not be sent because the connection to Outgoing server (SMTP) mail.domain.com timed out. Try again.
If I use plain authentication I can send emails.
Also, more worryingly I noticed if i tried sending emails to it from my gmail account, they all come back with a Delivery status notification email, saying '454 TLS currently unavailable'
Here's my exim4 mainlog from today:
https://gist.github.com/hedgehog90/14b4 ... 058ab3a44d
I noticed when I tried to send an email from my gmail account:
2017-02-16 07:49:05 TLS error on connection from mail-wr0-f195.google.com [209.85.128.195] (cert/key setup: cert=/usr/local/vesta/ssl/certificate.crt key=/usr/local/vesta/ssl/certificate.key): Error while reading file.
and when I tried to send an email from the account in question:
2017-02-16 08:00:03 no host name found for IP address 81.174.188.154
2017-02-16 08:00:03 TLS error on connection from [81.174.188.154] (cert/key setup: cert=/usr/local/vesta/ssl/certificate.crt key=/usr/local/vesta/ssl/certificate.key): Error while reading file.
So I checked and found the likely problem. I had replaced the crt and key files with symlinks pointing to /usr/local/vesta/data/users/[username]/ssl/[domain.com].crt and key respectively, but they are owned as root:root and have 0777 permissions
Can I keep them as symlinks for the sake of convenience? If not why? What should the owner/permissions be set to?
Also here's some recent DNS/MX checks reporting errors with the DKIM and the hostname, is this related? Eitherway I'd like to fix these too:
https://toolbox.googleapps.com/apps/che ... tudios.com
https://mxtoolbox.com/domain/gpstudios.com/
EDIT:
So I easily fixed part of the problem by replacing the symlinks with copys of the pem and crt in my /usr/local/vesta/data/users/[username]/ssl folder, however there's still problems with gmail.
Now I get a 'mail delivery failed' in my site's inbox when I try and send an email to a gmail account!:
Also, yesterday I had a 100% score on DNSInspect, I just checked again, now I have 94.5%.Our system has detected that this message does not meet IPv6 sending guidelines regarding PTR records and authentication. Please review
It flags the SOA TTL because it's set to 3600 (isn't it always?)
Also:
How can I fix this?Found mail servers with inconsistent reverse DNS entries. You should fix them if you are using those servers to send email.