Cert Hostname DOES NOT VERIFY

Symptoms

• It is not possible to set up mail client to use secure connection because of SSL warning message about bad certificate

• If check security with online tools like SSL Labs , it shows warnigns as the following one:

  CONFIG_TEXT: Cert Hostname DOES NOT VERIFY (mail.example.com != *.example.com | DNS:*.*.example.com | DNS:*.example.com)
  So email is encrypted but the host is not verified

Cause

• The installed SSL certificate is not wildcard.
• The multidomain certificate is used and mail.example.com is absent.
• The mail server certificate is checked using a certificate for a domain that is not used to secure the mail server.

Resolution

Install SSL wildcard certificate or request new SSL certificate having required domain in the list.

In case of multidomain certificate X509v3 Subject Alternative Name should be checked for a domain name.

# openssl s_client -showcerts -connect mail.example.com:25 -starttls smtp 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text | grep DNS

Note: When connecting to the mail server, make sure to use the domain name in the certificate issued during securing Plesk mail server.
Advise your customers to do the same. Otherwise, the mail client software may be unable to verify the mail server identity, which may cause issues when sending or receiving mail, like this one.