Invalid SSL Certificate for Mail Server

Question

Though this question is in the context of a particular software (Discourse forum software), it is really about SSL certificates of mail servers.

Here is my setup:

Main Website: mydomain.com (Hosted on Hostgator)

Forum Website (Discourse forum software): forum.mydomain.com (Hosted on DigitalOcean)

Mail Server (used by Discourse to send email to members): mail.mydomain.com (Hosted on Hostgator)

Discourse settings for SMTP:

DISCOURSE_SMTP_ADDRESS: mail.mydomain.com
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: forum-no-reply@mydomain.com
DISCOURSE_SMTP_PASSWORD: "mypassword"
DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

I have SSL certificates set up for mydomain.com and mail.mydomain.com on Hostgator (A single SSL certificate for mydomain.com as well as several subdomains (like mail.mydomain.com , webmail.mydomain.com , etc)).

When I try to send a test email from the Discourse admin interface using the above settings, it gives me an ' invalid certificate ' error.

So, I tried to debug through openssl s_client with the following command:

openssl s_client -servername mail.mydomain.com -starttls smtp -crlf -connect mail.mydomain.com:587

It sends the SSL certificate of mydomain.com with CN as follows

subject=CN = mydomain.com

and establishes a SSL Session with TLS v1.2

Here are the weird results of EHLO after that:

EHLO mail.mydomain.com
250-xx-xx-xx.webhostbox.net Hello forum.mydomain.com [xx.xx.xx.xx]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP

As you can see with the second line in the above code, it responds from xx-xx-xx.webhostbox.net instead of mail.mydomain.com or mydomain.com

I think this is why I'm getting a ' invalid certificate ' error.

If I change the Discourse SMTP settings as below (just changing the first line)

DISCOURSE_SMTP_ADDRESS: xx-xx-xx.webhostbox.net
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: forum-no-reply@mydomain.com
DISCOURSE_SMTP_PASSWORD: "mypassword"
DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

then everything works fine and all emails gets sent.

Could someone please let me know if this working solution is secure? I think it's not secure since I am using xx-xx-xx.webhostbox.net as SMTP address (which could expose the emails to risks) instead of mail.mydomain.com . If this is not secure, how should I proceed to get a secure solution to this problem?

Answer 1

As documented by Hostgator it is actually the correct setup to use the name of the hostgator server full.servername.com and NOT the name of your own domain example.com as the mail server. This is because the mail server is not specific to your domain but is a common mail server for multiple domains.

Note that this is very similar to Can't seem to connect to FTPS via Atom editor Remote FTP but only for SMTP not FTP. My explanation there can be applied to SMTP too.