The below tests should be done on Windows 10 command line.
1. DNS checks
nslookup mail.example.com
nslookup webmail.example.com
Both should resolve to an IP address
2. Connectivity test
You may need to enable the telnet option in Windows for the following tests.
telnet mail.example.com 993
You should get a completely black screen. Pressing CTRL+] should get you a telnet prompt and pressing q inside the telnet prompt (followed by the Enter key) should get you out of telnet.
If you don’t get a completely black screen by running the above command then your server is either ( a ) not listening for connections on port 993 (aka dovecot service is not running) or ( b ) your firewall is not configured to allow connections to port 993, or ( c ) your IP has been blacklisted after many unsuccessful connection attempts.
Solutions:
( a ) Check that the service is running by issuing the following command on the server
systemctl status dovecot
Should get something like this:
dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
Active: active (running) since …
If not, then you need to check your server/service.
( b ) In Hestia UI go to Settings > Firewall and make sure there is an ALLOW rule for ports 143,993 (IMAP).
( c ) In Hestia UI go to Settings > Firewall > Manage Banned IPs and make sure the IP of your computer’s connection is not listed there.
3. Server name / hostname certificate
To get a valid TLS certificate for your server, you need to have a fully qualified domain name, that resolves to the server’s IP. For example, if the server’s hostname is server1.ultraserver.com, then you need to have an A record (server1) in the ultraserver.com zone, pointing to the IP of the server.
For email, it is also preferred to have a reverse DNS (rDNS) name too. So that the IP of the server resolves to the server’s hostname. You may need to contact your server operator/host, or you might be able to change that in the server’s control panel. To check if you have a correct rDNS name, run the following on your Windows PC:
nslookup xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is your server’s IPv4 address.
If those check OK, then run the Hestia command on the server (as already suggested)
v-add-letsencrypt-host
(no parameters!) This should get your server a valid TLS certificate for the name server1.ultraserver.com that will replace the self-signed one.
4. TLS certificate for email domain
If both 1. DNS Checks are successful then go to Hestia UI Login the user who is hosting the example.com zone/mail > click Mail tab > click the pencil icon next to example.com to edit the mail domain > check the option “Enable SSL for this domain” > click save. This will get you a valid TLS certificate for the names mail.example.com and webmail.example.com
5. One domain name for both server name and mail domain
If you only have one domain name (e.g. onedomain.com) that will both host email and be the DNS server of the domain and the server’s hostname (e.g. server1.onedomain.com) then do the following.
- Setup Hestia and set the server’s hostname to server1.onedomain.com
- Create new Hestia user (e.g. u1) and login that user
- Click on the DNS tab and then click Add DNS zone, fill in the domain name onedomain.com and click Save. This will create the DNS zone with the correct settings.
- Click Mail tab and then click on Add Mail domain. Fill in the domain name onedomain.com and click Save.
- Go to your registrar and set the authoritative DNS of the onedomain.com to your server’s name/IP. This will complete the DNS setup of the onedomain.com domain so you can start getting Let’s Encrypt Certificates.