Outlook android app keeps asking for password over and over again

I have a client who has an Android mobile phone who is having problems with the Virtualmin postfix server and his Microsoft Outlook phone app.

When he first set it up, it was working however, now (1 day later) his phone has suddenly started asking for the password over and over again. It also doesnt download any more emails.

I note that an issue that i thought Dibbs and I had fixed has presented itself again. When i log into Outlook on Desktop PC I am seeing an SSL certificate error. The postfix mail server has started using the certificate from a Virtual Sub server that does not exist (it was deleted almost 1 year ago).

I cant seem to figure out where this certificate setting is coming from?

Is webmail working for that one on the same devices?

Yhe paths for certs that postfix used should be in the configs of postfix, also here the dovecot configs for the client connections the paths to certs

Assuming you have a Virtual Server for your Master Domain - go to the SSL Config section and copy the SSL cert to Postfix\Dovecot. I would expect that should fix it. It is possible that Dovecot could use multiple SSL certs but I think Postfix only uses one. (could be wrong tho - worth checking in the config files).

How it started using the old one - be nice to find out but if the above fixes it, one for a rainy day when you have nothing to do. LOL

Hi guys,
Yes that’s what I did (copied SSL from master domain to postfix).

What has me confused however, it was only the Microsoft Outlook phone app that stopped working throwing this repeated login/password request.
Outlook desktop app was still working…although showing that wrong SSL cert … billing.fqdn.com (virtual sub server which was deleted a long time ago).
I cant even find this on my server so I’m stumped as to how it inserted it?

Can dns server cause this kind of issue? For example, if my dns host had to rebuild their server from a backup, is it possible a ) dns nameserver cache cause cause this?

I also note, the clients domain is the only email account on my server that shit itself with this repeated login issue in Outlook. Also, they have their old user@domain.com emails still on Wix gsuite servers…so you can still log into same email account through wix and see all old emails even though dns is now pointing mxrecords at my mail server.

So is it a possible dns glitch temporarily reverting back to old nameserver? Could that cause this?

I note my dns providers nameserver TTL are automatically set at 86400 seconds (thats 24 hours right?) I had mxrecords set at 300 seconds (changed to 3600 now)

Postfix - I think you will get that error as it can’t really “masquerade” as multiple servers. Hence you are getting an SSL mismatch in Outlook (desktop). You could try generating a SAN SSL cert for Postfix [that might be as simple as doing the cert for the master domain but adding all the other domains in too - the mail. ones for the other domains on the server with mail].

Be careful doing too many requests tho - I think it will lock you out at some point, maybe after 5.

p.s. copy your existing cert 1st then tinker. That way you won’t have to request the original cert and have your LE “request allowance” decrease.

Is there no way in which each virtual server email can use its own SSL in Virutalmin?

for example, the Outlook app automatically tries to insert incoming and outgoing mail server as mail.clientsdomain.com

In cpanel, you can choose to use your own domain … mail.clientdomain.com for incoming and outgoing mail server and it uses the SSL for client domain in the email certs. Why cant virtualmin do this?

I think Dovecot can but Postfix can’t, not for a single IP anyway.

EDIT: The following links might help answer some questions:

thanks Dibs, i shall take a look at that link.
i believe that perhaps the safest option is to ask clients to use host.fqdn.com for the mail server settings rather than mail.clientdomain.com with my shared hosting.

If they want to use their own, then i should have them pay extra for own dedicated IP address.

i guess i never really thought this through very well…perhaps business clients should be using dedicated ip address.

Below are the suggested records from Virtualmin (domain name changed obviously)

apples.com.au. IN A
www.apples.com.au. IN A
ftp.apples.com.au. IN A
m.apples.com.au. IN A
localhost.apples.com.au. IN A
webmail.apples.com.au. IN A
admin.apples.com.au. IN A
mail.apples.com.au. IN A
apples.com.au. IN MX 5 mail.apples.com.au.
apples.com.au. IN TXT “v=spf1 a mx a:apples.com.au ip4: ip4: ip6:fe80::5400:1ff:fef1:5674 ?all”

  1. Where does Virtualmin get “mail.apples.com.au” from?

  2. If i change apples.com.au. IN MX 5 mail.apples.com.au to apples.com.au. IN MX 5 host.fqdn.com.au.

is the client going to lose access to email in all of their existing apps (outlook, Aquamail, etc) due to a change in the mxrecord for mail server? At present i think the auto setup from Virtualmin has configured my clients desktop pc and mobile phone apps to use mail.apples.com.au as the incoming and outgoing mail server.

  1. what is themail.apples.com.au IN A, do i even need this record?

  2. When i navigate to /etc/dovecot/dovecot.conf new virtual server domain has not been added to this file…all my other domains are there. i dont want to copy a virtulmin virtual sever (domain) SSL to dovecot…but why are other virtual servers in the conf file?

  3. Finally, when i check the SSL from my primary virtual server, it says that its SSL is being used by dovecot, however, when i navigate to /etc/dovecot/ there are no SSL cert files there (should be 2 of them). Why isnt virtualmin realising the certificate files are missing from dovecot?

I have assigned dovecot the webmin certificates /etc/webmin/primarydomain.com.key, and cert (is this ok?)

Consider also:
Some ( MOST in HOLLAND) ISP’s don’t allow over port 25 smtp , also some not over 587, there if so your client has to use the smtp form the ISP. ( SMTP server for if using postfix should be the main mailservername/hostname while no SNI ( single ip) whatever in most cases if allowed by ISP for that port 587 / 25 )

Dovecot so the client to get mails you can use their own domain names if certs are handled ok.

ISP from clients could also block if ( automatic) they think something wrong , spam , hacked, using a vpn ( could also causing such blocking wellknown here in Holland) and so on.

So the way i go is first to make on that clients domain a extra testemail adres for my own and testing some cases myself, with ( we use 2 ISP’s at our company) and VPN , different clients ( thunderbird, outlook , phones, tablets) always starting with thunderbird to be sure it should be possible to have it work ok. ( more than one day because of cachings and …)
(Important here ofcourse look in log files how those are handled on your server)

Technical configs Virtualmins support and Dibs could help you.

I 'm only pointing out some cases here.

Example last months if some has such clients be warned the time spending is not worth it:.( ONE client has another new external IT support , and yup they are frustrating our work to get that work/part to, firewall on outgoing not allowing pop or traffic to mailserver ip, changing settings after it works on client pc’s ) and such d.m things, at the end while the client has no choice they got that client to … after more then 15 years., only because by outsourcing their IT to a greedy company who wants all.)

I am finding that when setting up email client Outlook mobile phone app for email@apples.com, if i enter correct username, password and host.fqdn.com for incoming/outgoing mail server, i keep getting SSL errors. The Outlook mobile phone app also prompts me to enter username and password again.

however, if i simply let outlook use mail.apples.com.au for incoming and outgoing mail server, it works.

now for the strange part…what i cannot understand is why on a desktop pc running Microsoft Outlook and Windows 10 mail, using host.fqdn.com as the incoming/outgoing mail server for email@apples.com is working perfectly???

Is it the mxrecord that is the problem (mail.apples.com instead of host.fqdn.com)? Is it the SSL certificate that is being used? the error says SSL cert, but i wonder if an incorrect mxrecord is actually the root of the problem and the SSL error is just a symptom? This has me stumped?

Sometimes Windows\Outlook get’s it’s knickers in a knot over cached credentials and keeps asking for password. Look in Control Panel - Credentials Manager & see if their is one their that might apply - you usually need to delete it.


might help.

I also found this in dovecot docs…
NOTE: If you have only plaintext mechanisms enabled (e.g. auth { mechanisms = plain login } ), ssl=yes and ssl=required are completely equivalent because in either case the authentication will fail unless SSL/TLS is enabled first.

Perhaps this explains why in the Outlook mobile phone app client is getting repeated login requests? If there is an SSL certificate issue…??

Also, would incorrect mxrecords cause this…ie current one is mail.apples.com (shared hosting/mail server is host.fqdn.com)

actually i now think that this issue is a little more of a Virtualmin issue than something i have done wrong…it appears that someone has forgotten to ensure compliance with built in Letsencrypt SSL changes.



If this is even partly the cause of my problem, i am bloody shitty as all hell about being left in the dark about this. Why should i stuff around in the mud on this forum essentially be lead to believe i have done something wrong when this issue exists with Letsencrypt in Virtualmin?

i setup a new server to see what i thought i had done wrong only to find the acme client wont even run on it (a brand new fresh install)

Very unhappy. I cant problem solve when this remains an issue.


Virtualmin Andrecheck write workarround here >

I did post another possible one for some OS https://www.virtualmin.com/comment/818155#comment-818155

Virtualmin say they are busy…

If ticket license then you should get support ofcourse, i think LE is important enough to have it working good in a Control panel software.

But as forumusers trying to help is another thing, spending time here is my way of paying for virtualmin, while i’m using not supported repo’s myself , license for support and and makes no sense for me.

i went over the ISPConfig forum and asked the question there as well.

ISPConfig already have support for the new ACME version. I realise Virtulmin is a far more complicated and powerful control panel with lots of moving parts and that makes keeping it compliant is a big task, however, that is not our responsibility…its up to the developers to ensure that they have enough staff (either paid or open source contributors) to maintain their own platform and pricing accordingly. The reality is, if ISPConfig knew about it and prepared for it, how did we miss out here?

I cant be sure that this actual issue has not been the cause of embarrassment for me with a brand new client’s email. They cannot get their mobile apps working correctly or reliably. Now i realise that I am new to running an email server, however, the whole point of Virtulamin (i thought) was to basically be a “plug and play” system. I have now 2 Virtualmin installations, one of which is brand new, that are having problems either indirectly (as in the case of my main server) or directly (as with the new server) related to this compliance oversight.

I am not in any way suggesting we should all pull up stumps and move elsewhere, i love Virtualmin and wish to remain on this platform. Its just that if clients start demanding Cpanel because they figure out the root cause of their email issues is Virtualmin, then I am stuffed!

BTW., the suggested workaround is pointless. I cant even get Certbot to install on the new server…it throws an error when trying to install it by following the Certbot docs (i guess i have missed something. So i decided to use the Virtualmin installer to install Certbot…imagine my “not surprised” raised eyebrow when that installer doesnt actually work properly either. It installs, but one cannot run the program from Virtualmin because of errors.

I honestly think that what is really missing here is decent documentation on how to perform non-standard tasks such as installing this manually. Half the Webmin docus appear to have been writing quite some time ago and dont work properly (not updated?). A lot of the terminology in the docs is not compliant with current virtualmin terms, tutorials skip over very important steps/illustrations, leaving readers completely in the dark about what to do. On that topic, why are Virtualmin issues being directed to Webmin tutorials in the first place?

Someone needs to spend a decent amount of time rewriting and cataloging all docs to ensure that they may be used effectively by newbies and the pro. To illustrate this point…check out the tutorials on https://howtoforge.com. These are how all tutorials in Virtualmin should be written. They are clear and easy to follow with the exact coding required to make it work. Perhaps i should do my best to write some up to my level of knowledge at least? (if only i had time i would, but i spend so much time mulling in the dark trying to get things working…)

i think one of the big problems with Virtualmin tutorials (as opposed to webmin ones), is they appear to be directed at end user help…ie front end apps. The front end user doesnt bloody need to come here…its the administrators who mainly use this forum and as such Tutorials need to focus on backend administration of complex tasks. Any idiot can search the internet to find out how to setup microsoft outlook to work with a mail server!