question: Why does my mail client show a certificate for an FQDN I do not know? #3955
Comments
MainSEL
added
kind/bug/report
|
Please note that this response was created using generative AI, leveraging previously available information from the repository. This information may be helpful. However, it is our strong recommendation that you carefully consider the information before blindly applying it. Based on the information provided and the context from the Docker Mailserver (DMS) documentation, it seems like the issue might be related to how SSL certificates are managed and served by your setup, particularly when using nginx-proxy-manager to export the Let's Encrypt certificate. Here are a few steps and considerations to troubleshoot and potentially resolve the issue:
If after following these steps the issue persists, consider reaching out to the DMS community or reviewing the nginx-proxy-manager documentation for more specific guidance related to certificate management and troubleshooting. This comment was generated by Glime. |
|
Is With LetsEncrypt your certs may also be relying on symlinks so ensure you're mounting a proper copy?
Our docs don't have anything about nginx-proxy-manager support, the file layout may differ and not be compatible with our |
|
I have no idea what mail.mailnox.de is. I know this company will the domain and don't know what it is. Nginx Proxy Manager also only creates a Let's Encrypt certificate, which I integrate into the Docker. It worked for half a year without any problems |
# Run a container with some debug tools for certs(step) and DNS (dog)
docker run --rm -it alpine ash
apk install step dog$ step certificate inspect tls://mail.mailnox.de
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 311302017176434799059344780755930206104858 (0x392d59ba9aede7fce4d6cbdb365d076ed1a)
Signature Algorithm: SHA256-RSA
Issuer: C=US,O=Let's Encrypt,CN=R3
Validity
Not Before: Mar 22 07:09:59 2024 UTC
Not After : Jun 20 07:09:58 2024 UTC
Subject: CN=mail.mailnox.de
Subject Public Key Info:
Public Key Algorithm: RSA
Public-Key: (4096 bit)
Modulus:
ca:24:08:7c:a9:ef:15:e8:4f:ba:be:fc:41:52:5c:
27:29:32:86:54:66:fa:20:25:86:2b:06:c2:60:9c:
42:73:c8:36:b5:31:3a:0b:cf:24:1f:e7:70:dd:4e:
8f:cf:f5:36:22:6d:2f:d2:63:54:f9:f8:9f:16:67:
97:b6:b4:bc:15:05:15:90:4a:10:dd:fd:45:42:9d:
f9:36:ef:a3:1d:ef:d8:00:b9:3a:f7:e7:f4:8f:60:
b8:f4:ec:ca:1f:f8:af:b6:38:15:68:a3:a6:b8:bf:
17:b6:41:1f:ba:84:8e:61:ad:0a:fd:a5:39:24:8c:
28:62:68:30:a2:bc:f2:a3:00:db:c5:46:66:73:2d:
3e:85:93:fe:88:9c:59:3a:0e:cb:54:0e:02:e7:b2:
9e:f4:da:9c:24:3a:57:b8:5d:27:20:61:bc:d3:92:
22:82:7d:49:90:ba:5d:aa:73:97:6d:50:42:2b:3b:
c6:a8:64:c2:0d:b5:90:81:01:51:81:c8:13:50:1d:
b1:4b:22:83:89:f5:61:57:40:af:ac:4a:d3:72:96:
74:7a:cc:b6:3d:12:fc:5c:8a:db:e0:6e:45:4d:f4:
00:b2:1c:6e:fc:49:5d:83:00:39:c8:d6:80:db:94:
ca:f0:3c:a7:9e:2c:0b:be:64:33:18:9f:1f:91:83:
d7:f8:a7:7d:1c:64:88:29:61:0c:a5:af:6d:55:e2:
55:cd:a5:fa:0a:6b:36:e5:49:c3:09:bb:d4:14:d2:
15:a1:40:24:16:0d:b1:d6:5a:ff:9e:fd:2a:30:ab:
76:d3:25:99:15:69:c6:ed:d7:d3:fc:be:b6:3d:67:
2c:aa:9a:40:46:7f:b7:aa:6b:52:75:1f:c4:a5:fa:
86:7a:43:bb:d6:f7:56:43:95:5e:8b:5d:a0:b9:c2:
27:d0:4c:ba:85:f1:f3:1e:92:3b:ce:89:0c:da:d0:
25:53:cb:01:9e:8e:f4:13:ac:eb:99:b8:8b:31:7e:
a9:46:72:34:56:12:0d:0f:d1:03:95:ce:83:90:ad:
59:4e:4c:91:77:4c:a0:39:a5:0b:5d:d1:36:d7:01:
48:c1:d2:f6:48:c7:ac:29:7f:c8:d0:99:1c:56:df:
19:ca:e7:b6:a9:da:00:74:37:f7:c4:af:57:41:39:
80:c1:76:f7:7a:60:56:f3:4d:32:83:5d:da:6f:d3:
9e:e8:9c:55:de:ef:1d:93:db:a9:27:6d:d7:50:41:
3b:bb:d5:a5:23:78:33:d9:c0:0e:81:ee:11:0f:42:
ea:bc:51:9e:36:fb:bb:13:06:e4:f4:cf:e4:08:a0:
22:87:05:ac:94:6b:5a:aa:b7:cd:c6:fe:85:65:03:
72:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
Server Authentication, Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
0F:6E:C2:85:0A:99:90:A2:2C:73:A8:38:A1:4F:2C:BC:D1:EE:1B:BE
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:autoconfig.mailnox.de, DNS:autodiscover.mailnox.de, DNS:mail.mailnox.de
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
RFC6962 Certificate Transparency SCT:
SCT [0]:
Version: V1 (0x0)
LogID: dv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQ=
Timestamp: Mar 22 08:10:00.127 2024 UTC
Signature Algorithm: SHA256-ECDSA
30:45:02:20:6f:6d:86:e1:76:90:23:8d:b6:23:c1:b5:93:03:
eb:43:d4:f3:2e:f6:7f:c9:31:87:3c:07:41:c5:f7:2f:8c:b2:
02:21:00:e8:3d:e6:f1:46:ed:94:6e:c0:24:ce:ff:3c:93:a0:
78:aa:e0:b0:3b:5a:5a:d1:b7:f9:d9:c8:3f:ef:3f:c9:f6
SCT [1]:
Version: V1 (0x0)
LogID: ouK/1h7eLy8HoNZObTen3GVDsMa1LqLat4r4mm31F9g=
Timestamp: Mar 22 08:10:02.062 2024 UTC
Signature Algorithm: SHA256-ECDSA
30:45:02:20:3f:53:a1:ac:22:2f:a7:46:ae:4a:97:b0:e4:18:
3a:6b:22:35:9e:bd:4c:24:ea:d9:37:68:e0:4a:5c:07:e3:9d:
02:21:00:d0:bb:0f:42:8a:ee:8a:0e:b6:53:61:d1:d9:78:87:
3c:17:16:ec:1f:79:78:d6:fe:7f:2a:e9:09:54:d7:56:16
Signature Algorithm: SHA256-RSA
a7:11:ca:64:37:48:d2:ea:33:31:85:99:fd:db:6c:a8:49:12:
fe:e8:7d:43:05:14:ff:cc:60:44:68:89:f1:eb:bf:c1:da:07:
fd:7a:a1:35:d9:7b:4b:be:25:b4:dc:eb:83:31:a2:db:2e:e0:
22:f7:7e:d4:a7:39:07:c7:f5:fa:cc:ef:38:df:3a:24:d9:05:
05:d2:1b:13:ab:75:b9:df:d9:90:f2:66:ec:35:61:05:b4:21:
f1:29:6e:a6:80:3e:ea:df:6e:bf:37:c2:53:64:74:b5:25:7d:
da:38:69:1e:de:00:cb:82:87:77:be:c9:1d:18:56:9f:2a:13:
5d:91:0a:06:05:63:9f:87:21:d5:67:14:6f:2a:07:81:8c:47:
bf:ee:04:da:ed:93:00:74:29:6b:cc:bc:ac:b9:ea:98:80:3c:
3e:46:34:1f:7b:dd:97:85:e6:8e:ec:94:30:b0:da:e8:1e:b0:
6a:17:6f:2c:01:71:50:31:e1:e0:63:7a:dd:c4:50:eb:1f:08:
ff:7b:82:ff:69:84:a3:59:af:57:de:d1:75:75:75:2b:64:6b:
5e:b3:c4:a9:63:aa:26:d1:06:9f:2f:ea:2d:d9:e1:44:dc:cf:
ef:73:ed:7b:7b:87:14:2d:17:38:0c:8e:9c:79:aa:2c:83:12:
f8:eb:c3:47$ step certificate inspect tls://fleck-veranstaltungstechnik.de
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 306779995503844185925111658480200867047987 (0x3858b9df7cdc46dad3e08a71a73f5caea33)
Signature Algorithm: ECDSA-SHA384
Issuer: C=US,O=Let's Encrypt,CN=E1
Validity
Not Before: Feb 14 23:35:22 2024 UTC
Not After : May 14 23:35:21 2024 UTC
Subject: CN=fleck-veranstaltungstechnik.de
Subject Public Key Info:
Public Key Algorithm: ECDSA
Public-Key: (256 bit)
X:
5e:ad:d4:e0:20:3e:eb:f3:b4:8c:73:24:0d:10:a4:
4a:eb:b1:d3:b6:c3:fb:0b:f9:a0:ab:71:c6:64:2b:
00:31
Y:
50:10:f2:bf:10:26:08:5d:db:b1:05:98:e1:27:7d:
ae:4d:56:59:96:ae:a3:e2:1a:7a:db:fb:5b:22:f4:
dc:dc
Curve: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Server Authentication, Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
57:C3:98:9A:6C:8B:4D:4F:D9:58:1A:C4:BC:19:E7:6F:8E:F4:E6:44
X509v3 Authority Key Identifier:
keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC
Authority Information Access:
OCSP - URI:http://e1.o.lencr.org
CA Issuers - URI:http://e1.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.fleck-veranstaltungstechnik.de, DNS:fleck-veranstaltungstechnik.de
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
RFC6962 Certificate Transparency SCT:
SCT [0]:
Version: V1 (0x0)
LogID: dv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQ=
Timestamp: Feb 15 00:35:22.509 2024 UTC
Signature Algorithm: SHA256-ECDSA
30:44:02:20:11:c9:bd:7c:22:cb:c9:2b:34:a3:e7:56:e5:46:
f2:c1:24:79:42:65:62:36:b8:60:ff:cc:e4:dc:13:e7:5e:af:
02:20:76:36:b3:7b:38:5e:af:4f:de:b0:0a:7b:75:e7:9b:0c:
72:0f:26:d1:15:77:34:e1:87:ff:b1:e1:fa:3c:bf:23
SCT [1]:
Version: V1 (0x0)
LogID: SLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHM=
Timestamp: Feb 15 00:35:23.101 2024 UTC
Signature Algorithm: SHA256-ECDSA
30:46:02:21:00:c8:df:3e:6f:d2:18:15:95:b3:69:5e:52:32:
fe:5c:77:d9:03:b9:f7:a0:60:e8:e5:60:41:80:1c:7e:aa:13:
6c:02:21:00:c0:f3:9a:ad:bf:11:98:d6:84:2f:12:fb:47:67:
7c:94:16:e0:d3:7c:70:75:b3:13:59:f5:9d:d2:e6:28:70:77
Signature Algorithm: ECDSA-SHA384
30:65:02:31:00:90:61:44:98:65:bc:f5:3f:30:7f:fc:ce:22:
67:b4:c5:13:20:d4:ff:da:99:c0:af:c7:e1:8b:79:2a:90:19:
67:24:83:68:04:94:94:94:79:4a:bb:dd:9e:eb:74:c5:b1:02:
30:04:7c:33:a1:f1:fa:59:19:c9:f0:4c:97:91:cf:ce:bb:9d:
56:9d:74:32:ca:ef:68:4d:9a:87:99:4b:a4:c3:4e:94:a4:63:
3e:60:43:33:86:57:63:a8:4f:22:51:e7:6e$ step certificate inspect smtps://server.fleck-veranstaltungstechnik.de
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 328025423077252881247453634449386704127888 (0x3c3fae67b83a2229cb635d7cd72c3cac790)
Signature Algorithm: SHA256-RSA
Issuer: C=US,O=Let's Encrypt,CN=R3
Validity
Not Before: Mar 25 00:19:20 2024 UTC
Not After : Jun 23 00:19:19 2024 UTC
Subject: CN=server.fleck-veranstaltungstechnik.de
Subject Public Key Info:
Public Key Algorithm: ECDSA
Public-Key: (384 bit)
X:
cb:58:77:d5:46:eb:0b:89:7c:87:97:08:cf:c9:b7:
c9:98:10:58:44:95:49:c7:b7:82:2f:bb:57:d7:bd:
a6:b3:19:71:af:7a:97:2e:c7:76:d0:7c:6c:14:b6:
1f:1e:4c
Y:
cf:d2:8a:40:d6:bc:e2:6a:d8:c7:db:6f:ed:07:2b:
02:5c:b0:06:8c:50:a8:85:1d:1c:49:17:5c:31:7f:
26:61:05:11:26:96:93:7c:e3:f6:21:7f:09:a9:33:
74:7f:a2
Curve: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Server Authentication, Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
36:EA:6F:3C:14:FC:59:E4:D0:B1:73:F2:A2:2A:23:37:89:BA:4B:BF
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:server.fleck-veranstaltungstechnik.de
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
RFC6962 Certificate Transparency SCT:
SCT [0]:
Version: V1 (0x0)
LogID: PxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4=
Timestamp: Mar 25 01:19:21.030 2024 UTC
Signature Algorithm: SHA256-ECDSA
30:45:02:20:13:78:30:5a:f7:0c:32:59:6b:00:e4:86:8c:c0:
d4:59:73:ac:b4:c7:d8:46:13:f4:a5:b3:de:f3:d7:68:99:ac:
02:21:00:b7:ec:52:8d:d5:6e:e3:18:27:87:bd:d5:97:ee:24:
b9:31:a1:51:0b:ed:9b:42:03:f8:2d:07:38:74:f9:16:6b
SCT [1]:
Version: V1 (0x0)
LogID: ouK/1h7eLy8HoNZObTen3GVDsMa1LqLat4r4mm31F9g=
Timestamp: Mar 25 01:19:23.044 2024 UTC
Signature Algorithm: SHA256-ECDSA
30:44:02:20:74:a7:81:f4:42:9d:e4:ed:43:bd:d5:14:32:9b:
df:5d:7c:1f:a1:d3:cf:63:fe:ae:9f:84:54:a4:f9:58:be:0d:
02:20:62:30:85:44:f4:4d:d2:fa:bc:58:b5:94:a2:58:4e:ff:
7e:3c:33:45:5a:21:93:a6:22:a7:c7:1d:64:cc:b1:d2
Signature Algorithm: SHA256-RSA
6d:d5:96:3d:c9:7a:df:c7:9d:65:b1:91:0e:7d:d2:4d:e7:37:
dc:8a:d0:04:f4:e3:ae:87:b9:41:42:7f:fb:91:bf:a0:fc:7d:
62:a6:67:08:2f:f4:aa:9f:f6:28:08:67:dc:0d:d3:b9:55:03:
03:46:cf:12:b3:11:bb:4d:74:a3:5d:55:10:63:4f:db:32:69:
22:25:42:f7:fd:50:70:2e:4e:29:5b:ba:39:1e:10:89:54:65:
09:71:6e:ea:b6:85:8f:d5:fb:53:3f:78:6e:5a:fb:7d:43:c6:
ee:71:47:ec:8e:6f:70:11:e3:51:03:0e:e7:1c:27:14:72:51:
77:06:10:46:f3:6b:99:7d:f8:77:c0:3a:2c:4a:6e:8b:a7:05:
a9:02:82:32:f2:c4:b9:f2:8a:50:42:a3:2d:f0:b4:c4:b6:c6:
8a:99:fe:e1:3c:a5:80:1a:33:d4:0b:5e:61:81:6d:8a:ee:b1:
2f:5b:db:6c:74:3d:df:65:2c:60:1e:d5:bf:c1:ff:5e:6c:dc:
3b:16:2b:28:52:99:2b:a1:f1:fb:e2:d7:b0:83:b0:92:b5:d6:
a7:64:cc:f3:f8:1a:51:1d:ad:44:17:b3:87:17:6e:66:5e:ec:
46:f7:47:46:d6:5f:cd:7b:cd:a8:2a:78:8c:7f:1d:41:05:8c:
f5:ae:f6:ab$ dog MX fleck-veranstaltungstechnik.de
MX fleck-veranstaltungstechnik.de. 5m00s 10 "server.fleck-veranstaltungstechnik.de."You have not provided much else information wise so I can't really reproduce your problem. Please remember that your mail account Since the information I have to go by suggests If you cannot reproduce this for certificate lookup with the example above, then you may have something affecting your DNS sending you to another server for the MX lookup. If so and since you do not recognize If you suspect this could be the case, try going into your network settings and setting the DNS service explicitly, such as Alternatively if your system itself was compromised, then it could be configured for the attackers DNS service instead, or even with If the above is not helpful, I would suggest reviewing our documentation for |
polarathene
added
kind/question
polarathene
changed the title
|
Thank you for the detailed answer. I am sorry that I cannot provide much information. I'm just wondering where this strange certificate came from. I have this problem in my own WLan, so I rule out the attacker problem. The problem also occurs when I am connected to the server via Wireguard, which makes me wonder even more. I have been using the mail server for over a year and everything has worked. I have now created a new certificate with Certbot. The problem occurs again so irregularly. Sometimes it doesn't work. Nginx Proxy Manager does nothing other than use Certbot, so I was already puzzled by this before. |
|
I analyzed it a little further. So far, the problem only occurs when I am not directly connected to the server via VPN (Wireguard). As soon as the VPN is deactivated and I clear the DNS cache, I get the certificate error message in Outlook again. I have now explicitly set the Cloudflare DNS servers in my Dream Machine. Unfortunately, this has not led to a solution. I noticed that when pinging server.fleck-veranstaltungstechnik.de I get an IPv6 without a VPN and an IPv4 with a VPN. Perhaps we can take a closer look there. |
馃挕 $ dog A AAAA server.fleck-veranstaltungstechnik.de
A server.fleck-veranstaltungstechnik.de. 5m00s 185.245.61.31
AAAA server.fleck-veranstaltungstechnik.de. 5m00s 2a00:ccc1:101:1aa::I'll just connect via IPv4$ openssl s_client -4 -connect server.fleck-veranstaltungstechnik.de:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = server.fleck-veranstaltungstechnik.de
verify return:1
---
Certificate chain
0 s:CN = server.fleck-veranstaltungstechnik.de
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 29 20:36:29 2024 GMT; NotAfter: Jun 27 20:36:28 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIETDCCAzSgAwIBAgISAwkAJ5PGsHmvCsWgt5mRvfHDMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDAzMjkyMDM2MjlaFw0yNDA2MjcyMDM2MjhaMDAxLjAsBgNVBAMT
JXNlcnZlci5mbGVjay12ZXJhbnN0YWx0dW5nc3RlY2huaWsuZGUwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAATG+eDo6sWWLcIrD1VBfQ0ZXncfLE6KhgvdLuGCXYoN
nG25NM5uoxIxOuWFF/s0t6ls5i5kXEQqx3c/Ng6Aq0+ho4ICJzCCAiMwDgYDVR0P
AQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBSNxaD0wwYQGgXypM2TgMYmn+UujzAfBgNVHSMEGDAW
gBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUH
MAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3Iz
LmkubGVuY3Iub3JnLzAwBgNVHREEKTAngiVzZXJ2ZXIuZmxlY2stdmVyYW5zdGFs
dHVuZ3N0ZWNobmlrLmRlMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHW
eQIEAgSB9QSB8gDwAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcA
AAGOjCSOTgAABAMARjBEAiAviBcCoEFHvY4RuN+mYy0Or9dobDClETiC6QxQ9HAk
3wIgY6tAfQeksjWdqfCXaBTZSVr3jNV2uV55aE1dCJNxLFUAdwCi4r/WHt4vLweg
1k5tN6fcZUOwxrUuotq3iviabfUX2AAAAY6MJI5nAAAEAwBIMEYCIQCnC0kRX8KI
8GqvLhYo/4cVGAw/XLO4VTaCSN6wpMSC/gIhAJwwZPzBT7N8cFZvBBO1P+wYryX9
PrVZTqq/WFTpAj3mMA0GCSqGSIb3DQEBCwUAA4IBAQB91ik4z9b1HuC9uQSqs4xF
2ziqemv5LWI73z7hvcgKfVbCZI94hKBoixZPt7zRGx/G5t1hdOJswW/Xkil0pyto
9buLFO/I6+YYvFMQsNmu9DffWznTNrFkCpRrU2+H1aeVGnTorvSrkXJBNLn3fS4L
6fwGJ0cQJTr9pIMO9pg0OuGUAxs43MAOy8IePsSkZ7q/QnmopbBK7yX+0Uemyo1V
K+8B4IRqUu+C+F1m5xT5+jVal9CyQRTRtSksZCU8WlNCBXCT9TSBkYNpA0SsDzmU
JrJ2EVdnBuC5vM2nP6lp7XJNR90WQcBMZRbpNPEN7shDkfuWphiGHhCaHUXgY9xT
-----END CERTIFICATE-----
subject=CN = server.fleck-veranstaltungstechnik.de
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2786 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F9CFCE41F213B509E9374CD62D3AE8CBD03C90B382F3F965D469C78956DD394D
Session-ID-ctx:
Resumption PSK: 979FFD53804D29EF7A3F27E94781FD2A52AEE8CE5A2A1BB6D9CC9182E9AB80244F28326ECDD33941E37BFF4D855C246A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 1f e7 0a 7c 0c 55 98 0e-cd 2a 15 75 a6 0c e4 70 ...|.U...*.u...p
0010 - 59 6a 39 be 60 66 d9 35-16 3b 19 a7 71 93 20 9e Yj9.`f.5.;..q. .
0020 - 30 67 f0 06 92 47 5d 60-44 cc 52 00 03 49 1f eb 0g...G]`D.R..I..
0030 - 61 e7 fa b8 b6 fe c5 b7-7c 1a 0b 28 80 99 44 b5 a.......|..(..D.
0040 - 98 ac fa d4 62 92 16 88-04 03 50 38 9c ef 2a e1 ....b.....P8..*.
0050 - 94 02 24 dc 2e 96 a1 bf-73 5c 10 ae 71 ed 6d d2 ..$.....s\..q.m.
0060 - 3c d2 cb f3 da 4b 0f f5-f3 ca e6 97 d0 fc 7b 97 <....K........{.
0070 - 34 72 f5 d1 15 27 5c 4a-b5 9f ff 01 3d 7f 42 61 4r...'\J....=.Ba
0080 - d2 e0 cf b3 93 7d fc 53-09 34 45 75 ec 08 91 64 .....}.S.4Eu...d
0090 - 2b 01 df e5 30 5d 1d a9-8e fb 82 e0 ae 16 fd 5c +...0].........\
00a0 - 4e 71 28 c5 b4 e5 ba ae-52 b0 c9 8e f4 39 78 8f Nq(.....R....9x.
00b0 - 90 10 a5 c4 a0 3b 02 25-e2 7e ce 82 85 0b e8 eb .....;.%.~......
00c0 - 89 7b fa 8e 93 0f bd 4c-be f0 e9 e0 26 29 ba 0f .{.....L....&)..
Start Time: 1711764768
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
220 server.fleck-veranstaltungstechnik.de ESMTPIPv6This requires an IPv6 interface to make the connection successfully. I spun up an IPv6 capable VPS for this since my local system is IPv4 only. $ openssl s_client -6 -connect server.fleck-veranstaltungstechnik.de:465
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.mailnox.de
verify return:1
---
Certificate chain
0 s:CN = mail.mailnox.de
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 22 07:09:59 2024 GMT; NotAfter: Jun 20 07:09:58 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGGzCCBQOgAwIBAgISA5LVm6mu3n/OTWy9s2XQdu0aMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDAzMjIwNzA5NTlaFw0yNDA2MjAwNzA5NThaMBoxGDAWBgNVBAMT
D21haWwubWFpbG5veC5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AMokCHyp7xXoT7q+/EFSXCcpMoZUZvogJYYrBsJgnEJzyDa1MToLzyQf53DdTo/P
9TYibS/SY1T5+J8WZ5e2tLwVBRWQShDd/UVCnfk276Md79gAuTr35/SPYLj07Mof
+K+2OBVoo6a4vxe2QR+6hI5hrQr9pTkkjChiaDCivPKjANvFRmZzLT6Fk/6InFk6
DstUDgLnsp702pwkOle4XScgYbzTkiKCfUmQul2qc5dtUEIrO8aoZMINtZCBAVGB
yBNQHbFLIoOJ9WFXQK+sStNylnR6zLY9EvxcitvgbkVN9ACyHG78SV2DADnI1oDb
lMrwPKeeLAu+ZDMYnx+Rg9f4p30cZIgpYQylr21V4lXNpfoKazblScMJu9QU0hWh
QCQWDbHWWv+e/Sowq3bTJZkVacbt19P8vrY9ZyyqmkBGf7eqa1J1H8Sl+oZ6Q7vW
91ZDlV6LXaC5wifQTLqF8fMekjvOiQza0CVTywGejvQTrOuZuIsxfqlGcjRWEg0P
0QOVzoOQrVlOTJF3TKA5pQtd0TbXAUjB0vZIx6wpf8jQmRxW3xnK57ap2gB0N/fE
r1dBOYDBdvd6YFbzTTKDXdpv057onFXe7x2T26knbddQQTu71aUjeDPZwA6B7hEP
Quq8UZ42+7sTBuT0z+QIoCKHBayUa1qqt83G/oVlA3KNAgMBAAGjggJBMIICPTAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFA9uwoUKmZCiLHOoOKFPLLzR7hu+MB8GA1Ud
IwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggr
BgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRw
Oi8vcjMuaS5sZW5jci5vcmcvMEoGA1UdEQRDMEGCFWF1dG9jb25maWcubWFpbG5v
eC5kZYIXYXV0b2Rpc2NvdmVyLm1haWxub3guZGWCD21haWwubWFpbG5veC5kZTAT
BgNVHSAEDDAKMAgGBmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHb/
iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABjmU1rD8AAAQDAEcwRQIg
b22G4XaQI422I8G1kwPrQ9TzLvZ/yTGHPAdBxfcvjLICIQDoPebxRu2UbsAkzv88
k6B4quCwO1pa0bf52cg/7z/J9gB2AKLiv9Ye3i8vB6DWTm03p9xlQ7DGtS6i2reK
+Jpt9RfYAAABjmU1s84AAAQDAEcwRQIgP1OhrCIvp0auSpew5Bg6ayI1nr1MJOrZ
N2jgSlwH450CIQDQuw9Ciu6KDrZTYdHZeIc8FxbsH3l41v5/KukJVNdWFjANBgkq
hkiG9w0BAQsFAAOCAQEApxHKZDdI0uozMYWZ/dtsqEkS/uh9QwUU/8xgRGiJ8eu/
wdoH/XqhNdl7S74ltNzrgzGi2y7gIvd+1Kc5B8f1+szvON86JNkFBdIbE6t1ud/Z
kPJm7DVhBbQh8SlupoA+6t9uvzfCU2R0tSV92jhpHt4Ay4KHd77JHRhWnyoTXZEK
BgVjn4ch1WcUbyoHgYxHv+4E2u2TAHQpa8y8rLnqmIA8PkY0H3vdl4XmjuyUMLDa
6B6wahdvLAFxUDHh4GN63cRQ6x8I/3uC/2mEo1mvV97RdXV1K2RrXrPEqWOqJtEG
ny/qLdnhRNzP73Pte3uHFC0XOAyOnHmqLIMS+OvDRw==
-----END CERTIFICATE-----
subject=CN = mail.mailnox.de
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3690 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 011D60066E0C6F525AA14CEA9AB853E2B87915897014B399A464C3139D972AA0
Session-ID-ctx:
Resumption PSK: 02FA8203069AA5481B6ADF3B38DA32A426D93D42D1FD422863B913401D62C0914DD469679DD9CDDBAABFE3ECD2D2B12E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b2 4f d5 79 31 25 46 29-a0 4d b9 77 4e c0 4c 54 .O.y1%F).M.wN.LT
0010 - 41 1c e9 26 ea 84 cf 27-0a 45 28 ad b0 4b 95 dc A..&...'.E(..K..
0020 - f1 4e ef bd 03 17 e1 f1-02 dc 88 c1 2e ea 4f b9 .N............O.
0030 - 2e 6f 38 a5 fa a8 a9 80-d3 d6 eb bf a1 36 43 f6 .o8..........6C.
0040 - 62 6d e1 ab 91 2e b6 60-11 8c bc 00 a5 d6 f1 df bm.....`........
0050 - 43 16 81 11 5a 7c 24 1f-11 9d ae 11 e5 9a 30 8b C...Z|$.......0.
0060 - 8a 67 a3 87 4b 12 50 3b-1d 89 15 59 fb 93 f1 d3 .g..K.P;...Y....
0070 - 22 f2 9c 21 d3 e6 69 ec-20 e6 7a 96 e6 3c 8f e1 "..!..i. .z..<..
0080 - de f3 c6 05 64 bd 8d e5-2b df 97 1d 46 13 3e 0a ....d...+...F.>.
0090 - 01 99 b2 e8 12 f4 c9 f7-f7 b5 98 55 24 8b 8e c2 ...........U$...
00a0 - 09 d9 23 3a 11 20 78 b4-1e 23 4a 92 9f 2a 88 68 ..#:. x..#J..*.h
00b0 - 27 f6 f3 9c 34 18 33 74-05 98 21 3a 69 7e b5 7e '...4.3t..!:i~.~
00c0 - 33 d4 a3 35 98 e5 f1 55-21 a8 09 c8 3c e1 7f 99 3..5...U!...<...
Start Time: 1711764704
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
220 mail.mailnox.de ESMTP Postcow"Postcow" at the end there tells us this is a mailcow instance. Solution - Correct your DNSSo you'll want to assess your DNS records for Since you mention it only occurs when you don't have VPN active, probably no IPv6 connections can be established through it? Or the routing for IPv4 or your VPN interface has precedence, so the FQDN is resolved as IPv4, whereas without the VPN IPv6 has priority to resolve? Since you also mention that it's irregular, perhaps it's a racey resolution between IPv4/IPv6, or is related to the DNS cache. |
|
Thank you for your answer. I did some more analysis yesterday and wrote to a user on the server provider's Discord. He noticed that the IPv6 address is assigned twice. I will now clarify this with the provider. I am sure that the IPv6 address belongs to my server and that mail.mailnox.de has entered an incorrect IPv6. Or at least I got this IPv6 from my provider
|
|
This issue has become stale because it has been open for 20 days without activity.
|
github-actions
bot
added
the
meta/stale
|
This issue was closed due to inactivity. |
github-actions
bot
added
the
meta/closed due to age or inactivity
馃摑 Preliminary Checks
馃憖 What Happened?
I have been having the problem that my mail server is sending me a mail.mailnox.de certificate. I have always used Let's Encrypt for my certificate. This certificate is also on the server and is used by the docker container. Outlook and the Mail CLient v on IOS have been showing some mail.mailnox.de certificate for a few days now. This cannot be checked, so I always get an error message. I have renewed and recreated the certificate. Unfortunately without success.
Is it perhaps because I am exporting the Let's Encrypt certificate via the nginx-proxy-manager? I have also used ZeroSSL as an alternative. The error briefly disappeared there.
What Outlook shows
What I actually uploaded to the server
馃憻 Reproduction Steps
No response
馃悑 DMS Version
v 13.3.1
馃捇 Operating System and Architecture
Debian 11
鈿欙笍 Container configuration files
No response
馃摐 Relevant log output
No response
Improvements to this form?
No response
The text was updated successfully, but these errors were encountered: