Hi. I add a domain an an email for this domain un the control panel of hestia. With the domain i dont have problems. But with the email yes. I already point DNS records and there are okey. The problem it seems to be by SSL/TLS configuration. Also, i try to enable SSL with lets encrypt in the panel, but it gives me this error: Error: ERROR: Restart of apache2 failed. Error: apache2 restart failed. I have apache disable, becouse i am using Nginx, but likewise if i try to start apache2 server, it throws me an error. So, i create the certificates in the terminal using certbot, and it appears to funcs correctly.
The ports 25, 465 and 587 seems to be enabel.
I put this configuration in the exmi4.conf.template:
tls_certificate = /etc/letsencrypt/live/mail.mirecibodesueldo.uy/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/mail.mirecibodesueldo.uy/privkey.pem
daemon_smtp_ports = 25 : 587 : 465
tls_on_connect_ports = 465
What appears in the console when i do ‘openssl s_client -connect mail.mirecibodesueldo.uy:587 -starttls smtp’ is:
CONNECTED(00000003)
40575598607F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:…/ssl/record/ssl3_record.c:354:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 235 bytes and written 359 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Also, in the backend logs i see this error when i want to send an email for the backend: 454 TLS currently unavailable
This error says that de error is only in the SSL in principle.
I try another thing. I enable apache2, i have disable previously becouse my backend runs in port 8080, and apache2 too. Then i delete the mail created in hestia and the certificates creates with certbot, using ‘certbot delete’. Then i create a new mail in hestia, and with apache runing, i enable SSL with Lets Encrypt in the Hestia panel, and this works. However, the error seems to be the same, what means that this dont fix anything.
If you installed Hestia as Nginx+Apache2 you can’t disable/stop Apache2 or you will have issues (like the ones you have right now).
There is an script to remove Apache2 from Hestia but some things can change and broke your current config, also, there is no script to recover previous Nginx+Apache conf so the script works only one way.
You shouldn’t touch Exim conf, recover the conf (previous to your modification) and since you issued a certificate for your mail domain from Hestia, the cert and key should be in the right place and now it should work.
Algo, you created the wrong MX record, it points to mail.mirecibodesueldo.uy.mirecibodesueldo.uy. instead of mail.mirecibodesueldo.uy.
Okey, i understand. So, i enable again apache2, and used the previous configuration of exim4 config. Im going tu run my backend in port 8081. However, if i do again openssl s_client -connect mail.mirecibodesueldo.uy:587 -starttls smtp, its already brings an error like this:
CONNECTED(00000003)
405788B5507F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 235 bytes and written 359 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
For what you say about de MX register, in mi domain provider i put in the name: @, and in the server: mail.mirecibodesueldo.uy, so i think that might be correct. Also if i seearch in the DNS Checker page, the record mirecibodesueldo.uy MX, it says that is correctly propagated.
So what can i do for solve the problem, or you say that the best is to restar the server and do all again? The problem is that the page funcs so good, but well if isnt another solution i will do it.
I wait your respones, thank you.
That error usually means Exim is not using a TLS connection so something is not working with your current conf, trying to use a STARTTLS connection it gives the error 454 TLS currently unavailable
$ telnet mail.mirecibodesueldo.uy 25
Trying 92.112.177.157...
Connected to mail.mirecibodesueldo.uy.
Escape character is '^]'.
220 srv582044.hstgr.cloud
ehlo yo
250-srv582044.hstgr.cloud Hello 187.red-88-7-237.staticip.rima-tde.net [88.7.237.187]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-CHUNKING
250-STARTTLS
250 HELP
starttls
454 TLS currently unavailable
Yes, that might be correct but it isn’t because seems your dns provider is adding your base domain to that mail host, so instead of mail.mirecibodesueldo.uy,, you get mail.mirecibodesueldo.uy.mirecibodesueldo.uy, and that isn’t the right value.
If your dns provider is adding the base domain, try using only mail
$dpkg -l | grep -i exim4
ii exim4 4.95-4ubuntu2.6
all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.95-4ubuntu2.6
amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.95-4ubuntu2.6
all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.95-4ubuntu2.6
amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
$ls -l /usr/local/hestia/ssl/mail/mail.mirecibodesueldo.uy* (becouse no exists /usr/local/hestia/ssl/mail/mirecibodesueldo.uy*)
lrwxrwxrwx 1 fontanar mail 72 Oct 11 12:12 /usr/local/hestia/ssl/mail/mail.mirecibodesueldo.uy.crt -> /home/fontanar/conf/mail/mirecibodesueldo.uy/ssl/mirecibodesueldo.uy.pem
lrwxrwxrwx 1 fontanar mail 72 Oct 11 12:12 /usr/local/hestia/ssl/mail/mail.mirecibodesueldo.uy.key -> /home/fontanar/conf/mail/mirecibodesueldo.uy/ssl/mirecibodesueldo.uy.key
$ ls -l /home/*/conf/mail/mirecibodesueldo.uy/ssl/mirecibodesueldo.uy*
-rw-r--r-- 1 fontanar mail 1801 Oct 11 12:12 /home/fontanar/conf/mail/mirecibodesueldo.uy/ssl/mirecibodesueldo.uy.ca
-rw-r--r-- 1 fontanar mail 2179 Oct 11 12:12 /home/fontanar/conf/mail/mirecibodesueldo.uy/ssl/mirecibodesueldo.uy.crt
-rw-r--r-- 1 fontanar mail 3268 Oct 11 12:12 /home/fontanar/conf/mail/mirecibodesueldo.uy/ssl/mirecibodesueldo.uy.key
-rw-r--r-- 1 fontanar mail 3981 Oct 11 12:12 /home/fontanar/conf/mail/mirecibodesueldo.uy/ssl/mirecibodesueldo.uy.pem
I will await your respone.
Against, thank you so much.
Oh men sorry, i forgot restarting exim4, thank you so much. However, im having a problem whit the theme of the registers and DKIM. I can sent the email, but this enter in the spam mailbox. Also, the mail it says from office and also from gmail, that the email provides of a unverified sender, but i have activated the DKIM support in the Hestia panel.
So, i want to know if this is becouse i have to point some new registers.
I already have only this:
1- Type: A, Name: mail, IPv4: server_IP
2-Type: A, Name: webmail, IPv4: server_IP
3- MX that is incorrect so i have to fixed it as you say to me
4-Type CNAME, Alias: webmail, Real name: mail.
So, can you please tell me what records i have to add to solve the problem of spam and unverified sender?
Thank you.
Yes, you must add more records to your DNS. You must add a new:
TXT record for base domain that contains the SPF data.
TXT record for _dmarc subdomain containing the DMARC data.
TXT record for mail._domainkey subdomain containing the DKIM data.
The content of those records can be extracted from Hestia, go to your mail domain, hover the mouse over the mail domain name and you will see a few icons, click on 4th icon (DNS Records)
And you will see the records you must add to your DNS provider (obviously, your values will be different).
