I have a server with around 190 sites all supposed to be set up fairly consistently after a server migration. Before around a week ago I could use Thunderbird’s auto configuration and instantly setup a new email account. Now it’s not working for outgoing and some clients are complaining about security warnings.
In Thunderbird outgoing is failing every time because it seems to default to the Default website’s certificate.
Example when I run the wizard for domain @everbuildconstruction.co.za, it finds the settings perfectly, but on every outgoing message I get this:
On the next screen as per screenshot below, when you press “View Certificate”, the certificate of the default website is displayed:
The wrong certificate is showing as below!
So in the example above mail.everbuildconstruction.co.za is not picking up it’s own outgoing certificate in Thunderbird, instead defaulting to batman.vander.host which is the server’s default website.
I’m not sure if this is just an auto configuration problem or if something more serious took place. Before the server’s default website was the very first website on the list of sites, but I changed it intentionally to batman.vander.host.
The thing is it appears SSL for outgoing domains are okay, e.g. mail.everbuildconstruction.co.za looks okay I think using this service:
I’m going into a mild panic because I don’t know how prevalent the problem is but the fact that autoconfig is not working is going to be a huge problem for our help desk.
I found a way on the command line to simulate this problem. To me it’s clear that the default website is now replying for all certificates, instead of the domain itself:
In this example I’m asking for the certificate for mail.donkerhoek.co.za but instead I’m getting a reply from the main server’s domain batman.vander.host
Any clues?
EDIT
After much googling I have learnt:
Per domain SSL was never supported on Postfix until a few years ago and Virtualmin received this functionality in the last year or so.
tail -f /var/log/mail.log | grep “TLS SNI”
Mar 28 12:22:57 batman postfix/smtpd[4062199]: TLS SNI mail.donkerhoek.co.za from localhost[127.0.0.1] not matched, using default chain
Thanks for the info that solved my similar issues but have you found a way to fix that for new virtual servers created on server ? as Virtualmin in current version still uses wildcard in sni_map file
@vincen I had a similar question but then I noticed a simple text search and replace of *. to just . should do the trick. Please double check though and make a backup before you run it.
Thanks but unhappy mine I have double entry for most domains but I don’t have so many so yep guess it’ll finish this way after I check by creating a fake account that it works properly now