Cert Hostname DOES NOT VERIFY

Symptoms

1. It is not possible to set up mail client to use secure connection because of SSL warning message about bad certificate

2. If check security with online tools like SSL Labs , it shows warnigns as the following one:

   Cert Hostname DOES NOT VERIFY (mail.example.com != example.com)
   So email is encrypted but the host is not verified
   

Cause

SSL certificate installed either is not wildcard or in case of multidomain certificate is used mail.example.com is absent

Resolution

Install SSL wildcard certificate or request new SSL certificate having required domain in the list.

In case of multidomain certificate X509v3 Subject Alternative Name should be checked for a domain name.

# openssl s_client -showcerts -connect mail.example.com:25 -starttls smtp 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -text | grep DNS
           DNS:domain1.tld, DNS:example.com, DNS:mail.domain.tld