SSL Certificate Mishaps

fbeye · 02-19-2018, 10:52 AM

On my Linux Box I am running my own email server on a static ip and a purchased domain. Both forward/reverse DNS appear to be working fine and I can send.receive email fine.

What I am confused about is this;

I go to https://ssl-tools.net/mailservers/ and test my Domains email. It returns with everything good except the SSL Cert which specifies 1.) hostname mismatch and 2.) unknown authority. The Unknown authority is probably because I have elf signed certs, which I am fine with.
My concern is the hostname mismatch.

Their output is ;

mx.domain.org x.x.x.180 30 supported mail.domain.org

I see that it mentions mx and also mail. My Reverse is indeed set for mail.domain.org and the Linux Box name (host name) is also mail. So not sure if their return “mx” is just customary label or that it is indeed showing both mx and mail and is confused.

If it is just customary then I wonder if the SSL Certs are indeed mismatched.
The only thing I notice wrong / different in both are the OU in one says 1 the OU on the other says 2.

I know this is a broad question but really I am just uncertain if this is a reconrds issue outside my ability or if in Linux I am doing something wrong.

bathory · 02-20-2018, 02:21 AM

Quote:

Their output is ;

mx.domain.org x.x.x.180 30 supported mail.domain.org

I see that it mentions mx and also mail. My Reverse is indeed set for mail.domain.org and the Linux Box name (host name) is also mail. So not sure if their return “mx” is just customary label or that it is indeed showing both mx and mail and is confused.

Use this, or run the following command to find out the actual hostname of the MX RR for your domain as it's known to the world:

Code:

dig mx domain.org @8.8.8.8

Quote:

If it is just customary then I wonder if the SSL Certs are indeed mismatched.
The only thing I notice wrong / different in both are the OU in one says 1 the OU on the other says 2.

To test/read your certificate, use the openssl client:

Code:

openssl s_client -starttls smtp -crlf -connect mail.domain.org:25

fbeye · 02-20-2018, 10:55 AM

Oh very interesting. Thank you for the tools.

The intoDNS come back with quite a bit of information... Of all the tests everything passes except it mentions that my Namerservers by the company who gives me my domain has a “recursive query” so I’ll look and see what my options about that are but everything else is spot on.
When I run the manual command it is less detailed but has the meat and taters.. And comes back correct.

The SSL check spits out a bunch of close etc but nothing that looks in error.. So I can paste that later.

bathory · 02-20-2018, 04:45 PM

Quote:

Of all the tests everything passes except it mentions that my Namerservers by the company who gives me my domain has a “recursive query” so I’ll look and see what my options about that are but everything else is spot on.

If these nameservers are just authoritative for your domain, you should turn recursion off so it doesn't get abused.

From the rest of your answer, everything else seems that it works as expected.