Mail problem - Let's encrypt invalid on second domain

, ,

:uk: Hello there,

YNH 3.1 / VPS 2 OVH

I use YNH with two domain names on which there is a mail server and a cloud for each domain. I have a problem with the mail server.

The server has been running for 1 year with both domain names. I already had an error reported by my mail client a year ago (domain2 certificate does not match the name of domain1).

This morning I had an automatic renewal of the let’s encrypt certificate of domain1.

Subsequently, my mail clients report a certificate error on domain2.

For the details of the error on the domain2 certificate:

Common name: ** domain1 ** (should be domain2?)

Not valid until 24/03/2019 05:25:17
Not valid after 22/06/2019 06:25:17

Key use
criticism: yes

Basic constraints
criticism: yes
certification authority: no

** What I have done since this morning **

. In the DNS zone of domain2, I did not add the DKIM signature, but this is not recommended in the DNS configuration suggested by YNH. So I decided to add it but I still have not changed about it.

. The let’s encrypt certificate has been renewed for domain2 following this error report.

. The result of mail-tester basically tells me that:

Your message is not signed with DKIM

Maybe I have to wait for the spread of the DNS zone?

Bounce address user @ domain1.tld

This is normal if the domain2 is on the server whose main domain is domain1.


I do not know what to do about it and I almost want to dedicate another server for domain2. This will avoid such problems in the future.

What can I do best?
What about the existing mails, if the client mail have mails in stock, it will automatically upload them on the new server?

:fr: Yop!

YNH 3.1 / VPS 2 OVH

J’utilise YNH avec deux nom de domaine sur lequel il y a un serveur mail et un cloud pour chaques domaines. J’ai un problème avec le serveur mail.

Le serveur tourne depuis 1 an avec les deux nom de domaines. J’avait déjà eu une erreur signalé par mon client mail (certificat du domain2 ne concorde pas avec le nom de domain1).
Ce matin j’ai eu un renouvellement automatique du certificat let’s encrypt du domain1.
Par la suite mes clients mail me signale une erreur de certificat sur le domain2.

Pour le détail de l’erreur sur le certificat du domain2 :

Nom commun : domain1 ( devrait ĂŞtre domain2 ? )

Non valide avant 24/03/2019 05:25:17
Non valide aprés 22/06/2019 06:25:17

Utilisation de clé
critique : oui

Contraintes élémentaires
critique : oui
autorité de certification : non

Ce que j’ai fait depuis ce matin

. Dans la zone DNS du domain2, je n’avait pas ajouté la signature DKIM, mais cela n’est pas préconisé dans la configuration DNS suggéré par YNH. J’ai donc décidé de l’ajouter mais je n’ai pas toujours pas de changement a ce sujet.

. Le certificat let’s encrypt a été renouvelé pour le domain2 suite a cette remontée d’erreur.

. Le resultat de mail-tester m’indique principalement que :
Votre message n'est pas signé avec DKIM

Je doit peut-etre attendre la propagation de la zone DNS?

Adresse de rebond user@domain1.tld

C’est donc normal si le domain2 est sur le serveur dont le domaine principal est le domain1.


Je ne sait pas quoi faire a ce sujet et j’ai presque envie de dédier un autre serveur pour le domain2. Ce qui évitera ce genre de problèmes a l’avenir.

Qu’est ce que je peut faire de mieux?
Qu’en est-il des mails existants, si les clients mail on les mails en stock, cela va-t-il automatiquement les uploader sur le nouveau serveur?

Yes indeed, it should be domain2 here … but that’s not your fault :wink: It’s a known issue :

Basically it’s not clear if mail for multi-domains can be handled correctly as postfix is only able to handle one domain. (The alternative being to use local web client like Roundcube/Rainloop)

What puzzles me is that it’s the 2~3 time I discuss this, and each time people report it was fine for the initial setup … and then it broke after the renewal. But I don’t understand how the initial setup could have worked (or people don’t remember having to add an exception ?)

But as you suggest, having an entire other server for domain2 (with a separate IP ! That’s the key point here) should solve the issue

For your other issue :

That’s related to an issue fixed in more recent version of YunoHost… but to fix it you may simply run

sudo yunohost service regen-conf rspamd

ok thanks!! I will migrate the domain1 to another server. I am starting a backup of the / var / mail folder
Will mail on users’ devices be automatically uploaded if I create a new server with the same users? Am I forced to transfer them manually?

Uuuuuh not sure I understand the question, but if you’re talking about keeping the old emails … yes, that won’t be done automagically … you need to transfer them to the new server if you want users to still be able to find previous emails (except if they explicitely synced it on their device somehow)

Lol :slight_smile:

I am currently trying to transfer all mails… loading… loading…

ok, all mail are uploaded to the new server, user ok, no more message from mail client :slight_smile:

1 Like