1. Forum
  2. USENET
  3. comp.mail.sendmail

  • TLS certifcates are FAILing checktls test

    From pcla56@paul@vicjen.co.uk to comp.mail.sendmail on Fri Apr 17 21:30:09 2026
    From Newsgroup: comp.mail.sendmail

    Hi Team,

    I am trying to get everything as clean as possible on my sendmail server
    as our domain is currently barred by gmail "due to a poor reputation".

    Using postmaster tools on google it suggested I needed to fix reverse
    /forward dns for my MX records which I have done. All that remains is my certificate error.

    I am running ubuntu 20.04 (LAMP) server.

    The error from checktls.com is as follows

    [006.618] Connection converted to SSL/TLS
    SSLVersion in use: TLSv1_3
    Cipher in use: TLS_AES_256_GCM_SHA384
    Perfect Forward Secrecy: yes
    Session Algorithm in use: P-256(256 bits)
    Certificate #1 of 1 (sent by MX):
    Cert VALIDATION ERROR(S): self-signed certificate
    So email is encrypted but the recipient domain is not verified
    Cert Hostname VERIFIED (ikserver2.goodnewsbig.com =
    ikserver2.goodnewsbig.com)
    cert not revoked by OCSP
    Not Valid Before: Apr 15 18:05:29 2026 GMT
    Not Valid After: Apr 12 18:05:29 2036 GMT
    Seconds Until Expired: 315178821
    subject: /O=Sendmail/OU=Sendmail Server/CN=ikserver2.goodnewsbig.com/EMAIL=admin@ikserver2.goodnewsbig.com issuer: /O=Sendmail/OU=Sendmail Server/CN=ikserver2.goodnewsbig.com/EMAIL=admin@ikserver2.goodnewsbig.com

    Now I have spotted one issue and that is we do not have an "admin" user
    on our server currently, but I cannot see how to rebuild the certifcates?

    I can see sendmail-{server|client}.cfg files in /etc/mail/tls but have
    no clue on how to use them.

    I tried reloading sendmail which cured the previous "Cert Hostname"
    value being incorrect, but this problem remains.

    Can anyone advise or help me please?

    Thx Paul

    --- Synchronet 3.21f-Linux NewsLink 1.2
  • From Marco Moock@mm@dorfdsl.de to comp.mail.sendmail on Fri Apr 17 22:58:45 2026
    From Newsgroup: comp.mail.sendmail

    On 17.04.2026 21:30 Uhr pcla56 wrote:

    I am running ubuntu 20.04 (LAMP) server.

    Unless you have ESM, you do not receive any security updates. Rather
    risky.

    The error from checktls.com is as follows

    [006.618] Connection converted to SSL/TLS
    SSLVersion in use: TLSv1_3
    Cipher in use: TLS_AES_256_GCM_SHA384
    Perfect Forward Secrecy: yes
    Session Algorithm in use: P-256(256 bits)
    Certificate #1 of 1 (sent by MX):
    Cert VALIDATION ERROR(S): self-signed certificate

    Try one from letsencrypt and that error should be gone.

    Regarding Google, you also need to make sure you have SPF, DKIM and
    DMARC properly configured.
    --
    kind regards
    Marco

    Send spam to 1776454209muell@stinkedores.dorfdsl.de

    --- Synchronet 3.21f-Linux NewsLink 1.2
  • From Claus =?iso-8859-1?Q?A=DFmann?=@INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org to comp.mail.sendmail on Sat Apr 18 04:09:01 2026
    From Newsgroup: comp.mail.sendmail

    pcla56 wrote:

    I am running ubuntu 20.04 (LAMP) server.

    The error from checktls.com is as follows

    Do you mean this:
    Cert VALIDATION ERROR(S): self-signed certificate

    Ignore it - or pay for a "real" cert (which has basically no advantage
    for e-mail except making some "check" websites happy). If you use
    Let'sEncrypt you will get a cert which officially isn't usable as
    client cert - thanks to some evil company.

    Now I have spotted one issue and that is we do not have an "admin" user

    Why do you want an "admin" user?

    I can see sendmail-{server|client}.cfg files in /etc/mail/tls but have
    no clue on how to use them.

    Those files are not from sendmail.
    Maybe try a mailing list for Ubuntu?

    --- Synchronet 3.21f-Linux NewsLink 1.2