SSL And Security

Hi PL281, 

Thanks for your reply,

The domain we're using is float-digital.com, but we also have emails associated with various subdomains. float-digital.com is our priority for now.

The email is hosted on Cpanel, and for years, has been accessed through Gmail. However, due to the recent updates to Gmail's security, it cannot connect this way. the error message is "TLS Negotiation failed, the certificate doesn't match the host" as seen here and here

As an alternative, we tried thunderbird, to connect to emails - but this gave us a similar SSL mismatch error.

@sgpascoe 

Is this a VPS server that you have / manage or a cPanel account? The reason I ask is that if it a VPS server you may need to look in WHM to check on the settings in regards to the TLS protocols enabled. 

We are on the deluxe shared hosting with Cpanel plan

@sgpascoe 

Ok - I would try to connect with the SSL checkbox and see if that resolves the issue

Hahaha, if the problem was that easy I wouldn't be here after asking godaddy, cpanel, and the sysadmin/techsupport subreddits 🤣  I wish it was that simple, It would help me and thousands of others out of a tough situation. It unfortunately says the exact same error with SSL as it does with TLS.

According to cpanel, the problem is with the hostname SSL not matching the domain SSL. 

As linked in my first post, this is cpanel's feedback:

@sgpascoe 

One other obvious option you may have done but just wondering did you try using that IP URL as the server vs your domain name - if that is what it is having issues with it should still connect using that instead - again I realize this maybe stating the obvious but just double checking

Thanks again for sticking with me through this one, I hope I haven't misunderstood your instruction, but if I enter ip-160-153-161-50.ip.secureserver.net as my smtp server, I get the same error as if I enter float-digital.com as my SMTP server.

@sgpascoe 

Yes that is exactly what I was asking - a couple of things....

1) When you are in cPanel -> Mail what server names does it show / give you to enter

2) Just to confirm you don't have access to WHM with your account - just cPanel

I only have access to cPanel, that is correct. 

When logged in, these are the email options I have - nothing called mail unfortunately. 

@PL281 do you think this a solvable problem? I'm worried I may have to move away from godaddy to get this working, and that means a lot of work moving multiple domains and databases, so I'd love to avoid it! 

If it helps, this is Google's own advice from when they made the change:

If you get a “Could not validate certificate” error

When you click Test TLS connection, you might get an error that says “Could not validate certificate…” If you get this error, you can save the new mail route but messages sent from your organization will bounce. 

To fix the error, try one or more of these solutions:

• If your mail server has more than one host name, make sure you’re using the host name that’s on the server’s certificate.
• If you have access to the mail server on the route, install a new certificate from a trusted Certificate Authority. Verify the new certificate has the correct host name.
• If you use a third-party mail relay service, contact the service provider about this error.
• Turn off one or more of these options:
  • Require mail to be transmitted over a secure transport (TLS) connection
  • Require CA signed certificate
  • Validate certificate hostname

    Important: We recommend keeping these options turned on whenever possible so the connection can be verified.

full change notes here

@sgpascoe 

1) If you click email accounts and then select one - It should show you the POP / SMTP / IMAP configuration settings

2) On a cPanel account you don't have access to most of those settings.

@sgpascoe 

In cPanel can you go to SSL Status and make sure you have green locks for the domains - I would also click on view certificate and make sure you don't have multiple certificates for the same domain.

Yes, the SMTP/POP/IMAp settings are in the 'connect devices' section of the email list. Here is an example from one of the emails.

These settings do not work in any email client due to the hostname certificate.

I have certified the domain and any subdomain associated with it

If you run a check on https://www.checktls.com/TestReceiver for float-digital.com, using the "CertDetail' check, you can see the problem is not with the domain, and anything I have done, but with the Host server:

"Cert Hostname DOES NOT VERIFY (mail.float-digital.com != *.prod.ams1.secureserver.net | DNS:*.prod.ams1.secureserver.net | DNS:prod.ams1.secureserver.net)
(see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
So email is encrypted but the host is not verified"

@sgpascoe 

So using that site that you suggested - I see the host name is n1plcpnl0034.prod.ams1.secureserver.net

and it passes - use that and see if it will connect